Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Researchers tested Google Pixel 9: raises concerns about user privacy and security

October 2024 by CyberNews

Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google. The results show that Google’s latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the research team has discovered that it potentially has remote management capabilities without user awareness or approval.

“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews.

Cybernews has contacted Google about these findings. However, researchers did not obtain a response before publishing.

Key research takeaways:
• Private information was repeatedly sent in the background, including the user’s email address, phone number, location, app list, and other telemetry and statistics to various Google endpoints, including Device Management, Policy Enforcement, and Face Grouping.
• Every 15 minutes, the device sends a regular authentication request to an endpoint called ‘auth.’
• The phone also requests a ‘check-in’ endpoint around every 40 minutes.
• The phone constantly requests new “experiments and configurations,” tries accessing the staging environment, and connects to device management and policy enforcement endpoints, suggesting Google’s remote control capabilities.
• The Pixel device connected to services that were not used, nor explicit consent was given, such as Face Grouping endpoints, causing privacy and ownership concerns.
• Another Google feature, Voice Search, was connecting to its servers sporadically – sometimes every few minutes, sometimes it wouldn’t communicate for hours. It sent potentially excessive and sensitive data, including the number of times the device was restarted, the time elapsed since powering on, and a list of apps installed on the device, including the sideloaded ones.
• Moreover, the Pixel device periodically calls out to a Staging environment service (‘enterprise-staging.sandbox’) and attempts to download assets that do not yet exist.
• This reveals the capability of remotely installing new software packages.
• The calculator app, in some conditions, leaks calculations history to unauthenticated users with physical access.
Research methodology

Researchers used a “man-in-the-middle” approach to intercept the traffic between a new Pixel 9 Pro XL and Google’s servers.

On a brand-new phone with a new Google account and default settings, they installed the Magisk app to gain deep (root) access to the phone’s system. Researchers then proxied the inbound and outbound traffic and used a custom security certificate to decrypt and examine the communications.

Rooting the phone disables AI features such as Google Gemini Assistant, Pixel Studio, and potentially some other features. Therefore, this method did not allow for the capture of complete traffic.

The collected traffic was not modified at any point, and researchers did not manually interact with endpoints nor attempt to verify captured secrets.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts