Google’s latest flagship smartphone is raising concerns about user privacy and security. Users’ personal data is often sent to the tech giant before the app is installed. Additionally, CyberNews’ research team found that it may have remote management capabilities without the user’s knowledge or approval.
Cybernews researchers analyzed the web traffic of the new Pixel 9 Pro XL smartphones, focusing on what the new smartphones send to Google.
“Google Pixel 9 Pro XL sends a data packet to Google every 15 minutes. The device shares location information, email address, phone number, network status, and other telemetry. Even more concerning. , which can pose a security risk as your phone periodically attempts to download and execute new code,” said CyberNews security researcher Aras Nazarovas.
Cybernews contacted Google about these findings. However, no response was received before publication.
Important points
– Personal information such as a user’s email address, phone number, location, app list, and other telemetry and statistics were repeatedly sent in the background.
– The phone constantly requests new “experiments and configurations”, attempts to access the staging environment, and connects to device management and policy enforcement endpoints. This hints at Google’s remote control capabilities.
– Pixel devices were connected to services, such as face grouping endpoints, that were not used and for which explicit consent was not given, raising privacy and ownership concerns.
– Calculator apps can, in some circumstances, leak calculation history to unauthenticated users with physical access.
methodology
Researchers used a “man-in-the-middle” approach to intercept traffic between the new Pixel 9 Pro XL and Google’s servers.
On a brand new phone with a new Google account and default settings, I installed the Magisk app to gain deep (root) access to the phone’s system. The researchers then proxyed incoming and outgoing traffic and used custom security certificates to decrypt and inspect the communications.
Rooting your phone may disable AI features such as Google Gemini Assistant, Pixel Studio, and other features. Therefore, it was not possible to capture the complete traffic using this method.
The collected traffic was not modified at any point, and the researchers did not manually interact with the endpoints or attempt to verify the captured secrets.
Mobile phones send data periodically
Web traffic analysis allows Pixel devices to continuously send personally identifiable information (PII), such as your email address, phone number, and location, to various Google endpoints such as device management, policy enforcement, and face grouping. It turned out that it was sending.
Every 15 minutes, the device sends a regular authentication request to an endpoint called “auth.”
The phone also requests a “check-in” endpoint approximately every 40 minutes, allowing the phone to check information such as the firmware version, whether it’s connected to WiFi or using mobile data, the SIM card carrier, and the user’s email. Lists enabled low-level features. address.
Location data is included in requests even if GPS is disabled. In that case, your phone relies on nearby Wi-Fi networks to estimate its location.
“The Pixel 9 Pro XL repeatedly uses PII for authentication, configuration, and logging. This practice is inconsistent with industry best anonymization practices and appears excessive. We send your email address, location, and phone number, among other various user and device identifiers,” Nazarovas said.
Location information and other sensitive data can be essential to many of Google’s services and features, including newly introduced car crash detection.
Communicate with the Service without your express consent
Another worrying observation is communication with services that the user has not explicitly consented to.
The CyberNews researchers never opened the photo app or took any photos. Still, Pixel devices regularly connected to endpoints associated with Google Photos’ face grouping feature without asking for consent.
“These services are particularly sensitive because the endpoints are used to process biometric data, such as facial recognition. There were no photos on the test device, so no personally identifiable information can be transferred to these We did not observe it being sent to the endpoint,” Nazarovas said.
Another Google feature, voice search, was connecting to servers sporadically. Sometimes we were unable to communicate, sometimes every few minutes, sometimes for hours.
Excessive and sensitive data could be sent, including the number of device reboots, the amount of time since power-on, and the list of apps installed on the device (including sideloaded apps).
The researchers only tested the accounts with default settings and did not see how the devices reacted to changes to privacy and security settings.
The phone constantly checks for new code to run
Google appears to be reserving some remote management and control features for Pixel devices.
Most Android smartphones come with a built-in “CloudDPC” package. This is used to manage corporate devices, including changing security policies, remotely distributing apps, and erasing data.
“Worryingly, CloudDPC was observed accessing Google’s servers, which could potentially allow companies to control settings and take actions on regular consumer devices if they so desired. “If a vendor can make changes without the user’s knowledge or consent, the user appears to have no control over the device,” Nazarovas said.
Additionally, Pixel devices periodically call the staging environment service (‘enterprise-staging.sandbox’) to attempt to download assets that do not yet exist.
This reveals that new software packages can be installed remotely.
“This is concerning because development and staging environments are considered less secure and private. If a malicious attacker gains access to or impersonates a development endpoint, “This situation could lead to data injection and remote code execution on Pixel devices,” Nazarovas said.
The Pixel smartphone also maintained near-constant connectivity to the experiment and configuration endpoints.
The researchers noted that experiment endpoints could be used for A/B testing, trying out new user interface elements, or advertising campaigns to a small subset of users for a limited period of time.
“All these services indicate that Pixel 9 Pro XL owners may not be able to reliably manage their devices or control what is installed or removed. During the experiment, they may not be able to perform harmful actions. was not observed. However, existing infrastructure could be used to remotely control devices or install new software,” Nazarovas said.
On the positive side, not a single data packet was sent to a third party during the observation period.
The phone also continued to request updates from Google’s servers for known fraud-related phone numbers, presumably for call screening functionality. The device rotates encryption keys every 24 hours.
Calculator omission
Researchers observed another potentially dangerous aspect when using phones. If your Pixel device is locked, you can access the Calculator app from the notification tray widget. When you launch the unrestricted version of the app, you will see your calculator history. Although it is not the most sensitive data, you must ensure that this data is not available to bypassers.
“User data could not be accessed without first unlocking the device, with the only exception being the calculator. It is important to note that notification tray widgets are not enabled by default. Users have to manually add it to their list of shortcuts,” Nazarovas said.
conclusion
Pixel 9 Pro XL focuses on AI capabilities, offering cutting-edge features and Google Assistant integration, raising the bar for innovation. However, it also raises concerns about user privacy and control being compromised.
“Given the amount of data transmitted and the possibility of remote management, questions arise as to who is the true owner of the device. The user may have paid, but the monitoring system Because it is deeply integrated, it can leave users vulnerable to privacy violations,” Nazarovas said.
CyberNews researchers believe the potential benefits outweigh the potential risks. However, as technology evolves, it has become imperative for businesses to ensure transparency, protection, and user control.
Google is a publicly traded company valued at over $2 trillion. The technology company started as a search engine and later grew into a conglomerate offering advertising services, hardware, cloud computing, e-commerce solutions, AI, and more. Google was recently found guilty of establishing a search monopoly, and the case is still ongoing.
News.AZ
