The research examined cookies, identifiers, and other data stored on Android handsets by Google Play Services, the Google Play Store, and other pre-installed Google apps. When a user searches within the Google Play Store, “sponsored” results contain tracking links that inform Google when clicked, which shows the connections fetching search results with embedded ad tracking links. The findings by the SCSS analysts revealed that Google servers send and store multiple tracking identifiers on handsets immediately after factory reset, before users ever interact with any Google app. The study by Professor D.J. Leith from Trinity College Dublin, documents for the first time how pre-installed Google apps silently track users without seeking consent or providing any opt-out options. Google collects and stores significant amounts of user data on Android devices, even when users haven’t opened any Google apps. The research also documented Google’s use of NID cookies across multiple apps, server tokens for A/B testing, and various authorization tokens that effectively log users into numerous Google services silently. Measurements were conducted using a Google Pixel 7 running Android 14 with the latest available builds of Google Play Services and Google Play Store apps. DSID advertising analytics cookies are sent by googleads.g.doubleclick.net and stored in the Google Play Services data folder. The Google Android ID, a persistent device identifier, is stored in multiple locations including shared_prefs/Checkin.xml and transmitted in numerous connections to Google servers. “Users currently have little control over the data that apps store on an Android handset,” notes Professor Leith in the study.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 09:25:21 +0000