This is the second in a series of blog posts looking at the considerations around adopting a GMS deployment in the enterprise.  Each post features a tl;dr along with recommendations.  For other posts in this series please see the links below:

 

Google are open about the type of data they collect on Android, why they collect that data and how that data is used.  The actual details of the privacy policy are available from https://www.google.com/policies/privacy/ and is written to be understandable. Note that there are a number of international versions of this policy that you may be directed to, for example the US and UK policies but the differences are lingual and regional rather than affecting the actual policy wording, for example the US “cell towers” are changed to UK “mobile towers”.   Google also have a “terms of service” and both policies are Google-wide meaning they are written to cover any method for accessing Google’s services e.g. Chromebook, desktop search or Chrome on iOS therefore not all the policy information is immediately applicable to Android.

 

Collected information includes but is not limited to: Hardware model, Android version, device UUID, mobile network, search queries, telephone logs, IP addresses, device crash information and system activity.

 

As Google states, “this data will be used to improve Google’s products and services for everyone” but frequently we find our enterprise customers err on the cautious side and would rather disable Google’s data acquisition entirely.  Techniques for disabling data gathering are discussed later but the extent of the privacy policy and TOS are not unique to Google; as more enterprises embrace public cloud and hybrid cloud models in their infrastructure the bigger picture of information sharing should be considered in light of the general trend toward being more accepting of cloud computing.

 

Executive Summary (TL;DR)

  • It is possible to prevent devices from communicating back to Google’s servers and the most reliable way to achieve this is through network configuration. Options do exist on Android devices and within Android applications to disable analytics but many of these options require manual intervention to disable.
  • The extent of the privacy policy and terms of service are not unique to Android or Google and many enterprises are embracing hybrid or public cloud models which have similar policies.
  • There is not just one type of analytics.  The device OS itself sends analytics, system applications (e.g. Chrome or Maps) send their own analytics and Firebase analytics (owned by Google) is a hugely popular analytics engine used by 3rd party applications.  To truly prevent any analytics going through Google’s servers you will need to address all of these vectors.

 

Google analytics

In order to use Google services, a user or device administrator are required to agree to Google’s privacy policy and terms of service.

 

This section discusses some of the ways you can prevent your data being shared with Google and there are two broad techniques to achieve this:

  1. Stop the device from reporting analytics to Google by preventing network access.
  2. Turn off analytics via the device and application settings

 

Note that you can click ‘Don’t add this account now’ during the set-up wizard rather than agree to Google’s terms of service.  Clicking ‘Don’t add this account now’ does not prevent your device from communicating back to Google as you still implicitly agree to the privacy policy through just using Google services. By not adding a Google account to the device, any information being gathered cannot be associated with a unique user but you will lose any functionality that depends on that account e.g. GSuite, Gmail, Drive, reset protection and many others.

 

Let us dive into each of these approaches to prevent data being shared with Google:

 

1) Stop the device from reporting analytics by preventing network access

The simplest, most obvious way to avoid Android devices ‘phoning home’ to Google is to prevent them from having external network access.  This makes sense for a large number of enterprise customers whose devices are deployed within the 4 walls and only have access to the company network; it is not required to give users internet access on the device to perform their job so the network administrator can deny external access.

 

By preventing devices from reaching the wider internet you will experience a degradation of features but will still have more features than a non-GMS device.  An oft used example to illustrate this is the location APIs: a GMS device with external internet connection is able to take full advantage of location services e.g. to create a Geofence around a particular location. If that same GMS device is prevented from accessing the external internet it can still use location services for actions that do not require internet access, for example determining the current activity of the device user (running, walking, driving).  On a non-GMS device, the location services are not available at all and the developer has to depend solely on the earlier location manager APIs whose use Google no longer recommends where alternatives exist.

 

If you wish to be more controlled over which addresses to block to prevent Android from ‘phoning home’ there is no authoritative list and the most reliable way is to prevent your device from accessing any of the IP addresses under Google’s ASN, 15169.  ASN 15169 consists of a long list of IP v4 and v6 addresses but external tools exist that can make the job easier for network administrators e.g. using https://www.enjen.net/asn-blocklist/index.php you could create an IP list as https://www.enjen.net/asn-blocklist/index.php?asn=15169&type=iplist and download that list by adding &api=1 to the end of the URL.  These external tools come without any endorsement from Zebra but just be aware that they do exist.

 

In terms of ports, again there is no authoritative list of all ports an Android device will use to connect to Google servers, the best information available only exists for the Firebase Cloud Message (FCM) service, which states ports: 5228, 5229 and 5230 are used by that tool.  Interestingly the FCM documentation also advises opening up all IP blocks listed under Google’s ASN in order to just support cloud messaging.

 

Looking at this the other way, the opposite is also true: if you wish to take full advantage of the google services such as enhanced location, application updates via the Play Store or Gmail then it is required to accept outgoing connections to all IP addresses contained in ASN 15169 as well as open ports 5228, 5229 and 5230 if you wish to take advantage of FCM.

 

2) Turn off analytics via the device & app settings

If preventing your device from having internet access to Google’s servers is not an option for you, perhaps because you require some of the added services that GMS offers then you may wish to disable data collection on the device by modifying the appropriate settings.  There is not a single master switch for turning off all analytics data and there are several classes of application which will be sending data:

  1. The Android system sends information back to Google such as battery level, app usage, app crash statistics and network connectivity.
  2. Google developed system applications pre-installed on Android such as the keyboard, Chrome and Maps send their own analytics to Google.
    1. A further distinction can be made for this application analytics data as it may or may not be associated with a Google account.  Consider the maps example, you can use Maps without a Google account and your location data is available to Google, if you then sign into Maps with your Google account that location data can be (optionally) stored as a history associated with your account.
  3. Any Android developer can integrate Firebase analytics (which is owned by Google) into their native Android application, the getting started guide is here.  So, if you have a specific concern about Google then bear in mind that it is a hugely popular application analytics platform for many 3rd party applications.

 

Analytics sent from the Android system

The Android system analytics can be configured as part of the start-up wizard (SUW) (see screenshot above, “Help improve your Android experience”) and will default to true, i.e. system analytics will be enabled.

 

You will not see this start-up wizard screen if you provision your device as a managed Android device (i.e. setup as a device owner).  In my tests the diagnostic data option is disabled by default for managed Android devices but since there are many ways to configure managed devices I recommend you test with your particular deployment.

 

You can manually modify or check the value of this setting at any time by following the instructions at https://support.google.com/accounts/answer/6078260, i.e. go to Settings --> Google --> (Menu) --> Usage & diagnostics and slide to ‘Off’ to disable analytics.  This settings screen also contains information about what diagnostics are being captured and the link to ‘Find out more’ will take you to the answer URL just given.

 

Analytics sent from Google developed, preinstalled applications

Google have a number of preinstalled applications on GMS devices that they explicitly call out as having additional privacy considerations in their privacy documentation, here.  Note that some of these applications depend on being associated with a Google account in order to have privacy implications (for clarity the Google account required for analytics to be captured is an account in the @gmail.* domain and not a managed Play account).  The list below is not exhaustive or comprehensive and if you plan on using a Google application or service it is recommended to review the privacy documentation for that application; the aim of the table is to explain how to address some of the common privacy concerns.

 

Note that some of the applications described below expose managed configurations, these require managed devices as well as an EMM that supports them.  You may consider disabling any system application that gives you privacy concerns and this will be covered in a later post, there is also an earlier blog on the subject available which does not provide any recommendations.

 

ApplicationPrivacy considerations
Google Search

Google searches can be performed in a number of ways, either through the browser (Chrome) at www.google.com or via the Google app.

 

Using the browser, the Google page will attempt to acquire your location via the HTML5 location API. The prompt presented to the user can be overridden if you are using a managed Android device since Chrome exposes a managed configuration to specify the default Geolocation settings. Regardless of the Geolocation API setting however, an approximate location can be determined from the device IP, though that ability is not specific to Google.  Much of Google Search’s analytics capabilities are tied to signing in with a Google account i.e. search history and browsing activity.  You can limit the amount of data gathered by not signing in with a Google account and further limit the association of search activity with the device by frequently clearing cookies or browsing in Incognito mode.  Chrome exposes managed configurations for disabling all cookies and forcing sessions to use incognito mode so managed Android devices are able to take advantage of these features.

If you do choose to sign into a Google account you can opt out of Chrome browsing history and activity as part of the account activity controls.

 

Google Now can also be enabled from the Google Search application after signing into your Google account.

Google Now provides personalized information in the form of cards based on data already known by Google.  Android Marshmallow introduced ‘Now on Tap’ where by pressing the home button a context sensitive search is made based on the text content of the current screen.  Now on Tap represents an additional privacy consideration since it is parsing the foreground app’s text and can be disabled in the settings UI under Settings --> Google --> Search --> Screen search

but at the time of writing cannot be disabled remotely by EMM; if you wish to avoid these privacy implications then it is best to prevent the user from signing in with a Google account.

GmailThe Gmail application itself can be used as a mail client for a variety of mail providers.  Email from providers such as Outlook or Yahoo will not be subject to Google’s scanning (though the degree of scanning from that external provider is outside the scope of this document).  Using a Google account (in the @gmail.* domain) will mean Google will automatically determine ads which may be of interest to you by scanning your email and combining that information with other information associated with your Google account.  You can opt-out of Google scanning your mail for advertising purposes in your account settings however Google will still scan your mail for anti-spam reasons.
YouTubeYouTube can be used both with and without a Google account.  Without a Google account YouTube is still subject to Google’s privacy policy so your watch history could conceivably be shared with Google but all the official documentation implies analytics are only gathered for views associated with Google accounts.  There are a number of controls and limitations you can apply for YouTube from your Google account settings.
HangoutsThe Hangouts application gets the majority of its functionality from being associated with a Google account. Without an account you are limited to SMS communication on WAN devices only.  If the Hangouts application is associated with a Google account the message history will be backed up to Google but this can be turned off in the application settings.
Google Maps

Google Maps will work perfectly well without a Google account as long as your device location settings are turned on, you even get access to traffic, satellite imagery and ‘place’ information.  Google maps gets its location (i.e. the blue dot) from one of the location providers available on the device, I go into this more in a previous blog and in an upcoming post in this series about GMS but briefly, even if location services are not available on the device Google maps will still be able to determine location through GPS or scanning nearby WiFi APs.  If you want to obtain a location which has been determined without accessing Google’s servers then turn off WiFi / Bluetooth scanning and ensure the location mode is set to ‘GPS only’.  Devices without a GPS chip such as the TC51 will need to rely on non-Google solutions such as BLE beacons to determine their position without reliance on Google.

 

If you do access Google Maps whilst signed into a Google account you get access to a wealth of additional functionality such as location history, saved places, customised flight info, calendar entries and the ability to contribute photos of places, all of which can be customised or deleted from your account settings.

Google Chrome

On launching Google Chrome for the first time you will be asked if you want to share usage statistics and crash reports with Google.

This is specific to Chrome and you can disable it within the application at any time by launching Chrome --> (Menu) --> Settings --> Privacy --> “Usage and crash reports”, as explained here but there is no managed configuration to change this so it must be done manually.

Other privacy features of Chrome include:

  • ‘Safe Browsing’ which can be enabled or disabled via a managed configuration and provides protection against phishing
  • ‘Security incidents’ which allows Chrome to detect unwanted software.
  • ‘Enable network prediction’ allows prefetching and prerendering of web pages and can be controlled by a managed configuration.
  • Managed configuration settings exist to default to ‘Incognito mode’ and reset cookies on each session to force a more private browsing experience on the end user.

Note that Chrome also has its own terms of service and privacy notice.

 

By associating a Google account with Chrome your browsing history and bookmarks are synced but these can be deleted via your Google account settings.

Google+Google+ is not functional without associating it with a Google account
Google CalendarGoogle Calendar is not functional without associating it with a Google account
Google PlayGoogle Play requires a Google account to function and is covered in a future post in this series on GMS.
Google DriveGoogle Drive is not functional without associating it with a Google account
Google Keyboard

GMS devices ship with an updated Google keyboard compared with AOSP and the GMS keyboard would like to share some anonymized data with Google:

You can disable this on all Android versions, for example on Marshmallow you can update this via the Settings UI here: (Settings --> Languages & Input --> Google Keyboard --> Advanced --> Share usage statistics / Share snippets) and on Nougat the setting is here: (Settings --> Languages & Input --> Virtual keyboard --> Gboard --> Advanced --> Share usage statistics / Share snippits).  In either case, it is not possible to prevent the dialog from displaying to the user the first time.

 

Zebra’s own Enterprise Keyboard can be used as an alternative input method for the majority of customers and provisioned as the default IME during staging.

Google Photos

Google Photos can be used without a Google account but functionality is limited.  More pertinent to privacy is the exif data associated with the photos you take: when you launch the camera application you will be prompted to ‘Remember photo locations?’ but it is not possible to alter this setting after it is set.  (This is particular to the Camera app settings so may change in the future).

Associating Google Photos with a Google account will enable photos to back up your data to Google’s servers, including exif data.

The only way to prevent backing up once a Google account has been associated is to rely on the user manually selecting the correct options in the presented dialog, see screenshot.

 

There are a variety of ways to disable the camera entirely so the user is not able to take photos and you can do this via most EMMs and through Zebra’s StageNow tool.

Google DocsGoogle docs are not preinstalled so strictly should not be in this list but if added to a device without a Google account (e.g. deployed via EMM) at the time of writing the application will not launch.
Google KeepGoogle Keep is not preinstalled but if added to a device without a Google account (e.g. deployed via EMM) the application will not run without a Google account.

 

Analytics from 3rd party applications using Google as their analytics provider

Firebase analytics is a very popular analytics platform from Google for Android and other operating systems.  You will find many 3rd party applications will use Firebase analytics so a logical question would be whether you can disable Firebase analytics using the same setting described earlier which disables Android analytics, i.e. Settings --> Google --> (Menu) --> Usage & diagnostics and slide to ‘Off’.  The answer is ‘no’, there is no way in software to disable a 3rd party application’s analytics unless an option is explicitly exposed by that application; the fallback is to prevent the application from communicating with the Firebase backend, as explained at https://developers.google.com/cloud-messaging/http for Firebase, i.e. disable access to ports 5228, 5229 & 5230.  If the 3rd party application uses an analytics engine other than Firebase then the instructions would differ depending on the provider.

 

Recommendations

If you wish to prevent the Android OS as well as applications running on your device from providing analytics to Google the most robust way to achieve this is though network configuration, either:

  • By preventing external access entirely or
  • Prohibiting access to Google’s servers via a VPN or firewall.

 

Settings exist to turn off analytics but there are some difficulties to this approach:

  • Separate settings exist for the device and system applications.  It can be challenging to manage the number of settings and ensure none are missed.
  • Many settings require manual intervention (at the time of writing) therefore making it more time-consuming to stage & provision devices
  • 3rd party applications making use of Firebase analytics may choose to not expose an option to disable analytics, though they must state that analytics are being gathered in that app’s privacy statement