Occasionally, Android Authority receives a question from a reader. We answer as many as we can, and sometimes we think a public answer might actually be better than replying in private.
Here’s a slightly edited question we received by email from Steve (not his real name), over the holidays:
My “definition” of security is trying to stay as far away as possible from Google and Apple — I despise both companies’ invasion of privacy by tracking the phones, searches, data, etc. The idea of the information from every phone that goes to these companies is abhorrent to me. I have used BlackBerry to try to avoid that. Do you know if the new Blackberry/Android products still “report” to Google like the other Android phones?
Gaining a more complete understanding of how your personal data and privacy mix with Android is well worth exploring, so here we go.
Android has been installed on more than two billion devices around the world, mostly smartphones. That’s incredible reach. They’re not all listening to us and reporting back to Google, though they’re not exactly secure (more on that, shortly).
Android, or the Android Open Source Project (AOSP), is led by Google, which maintains and further develops the codebase, as an open-source software project. Google markets its maintenance and progression of the project as part of their belief that everyone can and should have access to the internet.
Android is open—except for all the good parts
It is altruistic, but it is also business. The way Google makes money is from having people on the web and on mobile, clicking its ads. This accounts for approximately 90 percent of parent company Alphabet’s revenue.
AOSP means anyone — you, me, the next great smartphone company — can download the Android source code, fork it, mod it, and utilize it. The Google’s approach is very different to Apple, which sells iOS on devices as an exclusive, locked-down ecosystem.
Many feel Android has slowly become more of a “Look but don’t touch” shared-source platform, rather than truly open source. As Ars Technica nicely put it more than four years ago: “Android is open — except for all the good parts.”
Further complicating matters, Google actually offers two distinct flavors of Android. There’s AOSP, which is bare bones: no Google, no Google Play Store, no apps inbuilt. This is the one that you, me, or a company building a new connected device will utilize. However, AOSP almost certainly won’t be used on a mass-produced smartphone, except possibly in China, where Google hasn’t always been legal, and where familiarity is more with Chinese apps. The other reason is smartphone manufacturers use a different, “full” Android experience, which makes Google money, and the one that provides a truly viable user platform.
There’s Android open-source, and then there’s ‘full’ Android with everything Google included
The “full” Android we know and use daily on our phones has the Google Mobile Services (GMS) platform built on top of Android. It’s sold to most OEMs — companies like Samsung, HTC, LG, Huawei, and now Essential and Razer, among others. GMS is not open source. It’s quite far from AOSP, and bundles the apps and services we know and love with it. All that bundling has caused problems — the European Union objectedto Google’s use of this full Android package to “preserve and strengthen its dominance in general internet search.”
Addressing the question we received directly, new BlackBerry devices do come with GMS installed, and Google’s apps do report back to HQ, with caveats. An Android device won’t report your details back to Google unless you let it happen, by adding your Google account details and using Google apps.
Google’s not the only one receiving data on you— your phone carrier gets it too. Location data (by cellphone tower triangulation), logs of your calls for billing, and all your SMS message still go to your carrier. The Mobile Device Privacy Act offered some improvements here by limiting pre-installed tracking apps, but lots of your data is still sent.
Still, there are ways to use Android without directly involving Google in your life.
Using Android without Google
We’ve published interesting and perhaps more extreme cases in the past involving a completely de-Googled device, including a look at this Samsung Note 4 in China. It ran the AOSP flavor of Android, but everything was more or less replaced by Baidu — and sending data to Chinese companies instead of Google. The author thought the phone was odd, and didn’t feel as comfortable trusting Chinese apps as much as you do with Google, or Apple. Given China’s general privacy stance, that’s understandable.
We’ve also examined alternatives to Google apps, with notable winners like HERE WeGo and Citymapper for Maps, Firefox and Opera for browsing, Blue Mail for email, and Signal for (secure) third-party messaging.
Escaping Google is a matter of both effort, and what you’re willing to forego
Even if you use all those, there’s still a chance Google will receive your data. If it doesn’t, Facebook will probably get it, given its incredible reach across popular apps and hooks into websites. Eventually, stopping the flow of your data becomes a matter of deciding which services and conveniences you’re willing forego.
If you’re using the Google Play Store to get apps — and you normally would, as it’s the safest way to go — your installs and uninstalls will be tracked. The Play Store also tracks location data, user acquisition data, and does Android “vitals” monitoring, which monitors for things like excessive background Wi-Fi scans for apps.
Some of the cookies used by our App are set by us, and some are set by third parties who are delivering services on our behalf. For example, we use Google Analytics to track what users do on the App so we can improve the design and functionality.
On the web, Google somewhat curiously offers an Analytics opt-out plugin for most browsers, allowing you to prevent your data being used by Google Analytics. But that’s only on the web and not part of apps at this stage, meaning you’ll need to pick and choose your apps carefully, and very few offer as much transparency as Citymapper.
Step further down the line, and hosting becomes an issue. The Google Cloud Platform (GCP) hosts websites, apps, and acts as infrastructure for storing and hosting data, and more. It’s not quite at the scale of Amazon Web Services (AWS) which serves more than 35 percent of web traffic via their cloud server infrastructure, according to Synergy.
While nothing substantial exists in the U.S., both GCP and AWS follow some strict European Union directives around with data protection. If you’d like that in the U.S., you’ll need to lobby the FCC — and we’ve seen how well that goes.
How to really, really escape Google on Android
So, you want to escape Google? It’s possible, but you’re going to have trouble with normal web browsing. Using a more secure browser like Firefox Focus is a good place to start. Always using a VPN should go without saying. Quit searching with Google and use DuckDuckGo, which doesn’t collect any information about the user, and doesn’t track IPs or other information.
F-Droid offers an alternative to the Google Play store, providing a catalogue of only free and open-source applications. Many of them are replacements for Google apps, via a repository which also searches for updates. It’s not super popular, but it’s been around many years.
Going even further, another option is to use Tor, which was specifically designed for anonymous communication (and comes with an Edward Snowden recommendation!). It’s best known as a web browser, but there are Project Tor apps for Android. Our man Joe Hindy discusses this and more in his recent best Android security apps roundup.
Another popular method of erasing the junk and bloat and anything else hidden away on your Android device is to install a different OS — LineageOS (based on the old CyanogenOS) is a stock Android experience, but it’s far more locked down than your typical device OS.
You might even consider Mission Improbable, a “hardened” Android OS created by Tor developers and the open source community to show how Android can be made more secure. If you’re running Pixel or Nexus devices, and have familiarity with Linux, this is a top option for ultimate security.
If you use a Google Account without enabling or turning off certain history, your location is tracked, search history is built, and even your voice commands sent to your Google Assistant are stored. You’ll either be creeped out or delighted by looking at your (amazingly complete) location history in Google here.
At some point the conveniences you know and love might become worth giving over some of your data. Certainly, Google hope this is true.
If you keep off those apps, and don’t utilize a Google account, what you’re left with isn’t that much different if you’ve been with BlackBerry in the past — though even BlackBerry receives some user data from phones, and in much the same way as Google .
Cutting back further — and remaining connected — would require a dumbphone, or adopting a different lifestyle altogether. Just being connected guarantees some tracking of your personal data by so many different methods. At some point the conveniences you know and love might become worth giving over at least some of your data. Google certainly hopes this is true.
We suggest taking a look into better protecting your privacy on your device if you haven’t considered it before.