News & Events

Contact Us Trinity Communications
West Theatre
Trinity College Dublin
Dublin 2
Ireland

+353 1 896 3983

View the contact page for more contact and location information

publicaffairsandcomms@tcd.ie Gaeilge

Cookies, identifiers “silently stored” on Android phones by Google apps

Posted on: 25 February 2025

A recent measurement study by Prof. Doug Leith, Professor of Computer Systems in Trinity’s School of Computer Science and Statistics, shows that advertising and tracking cookies and other device and user identifiers are sent by Google servers and stored on a handset, even when no Google apps have ever been opened by the user.

Fresh data protection concerns have been raised by a Trinity College Dublin study about storage of cookies, identifiers, and other data on Android phones by Google Play Services, the Google Play store and other pre-installed Google apps

A recent measurement study by Prof. Doug Leith, Professor of Computer Systems in Trinity’s School of Computer Science and Statistics, shows that advertising and tracking cookies and other device and user identifiers are sent by Google servers and stored on a handset, even when no Google apps have ever been opened by the user.

Professor Doug Leith said: “We all know that our consent is needed before a web site stores advertising and tracking cookies when we visit it.  The same EU “cookie law”, the e-Privacy Directive, also applies to apps running on mobile phones.  Cookies stored by apps have received far less attention than web cookies, partly because they are harder to detect, and a closer look at them is long overdue."

“Google Play Services and the Google Play store are pre-installed on almost every Android phone.  This study shows that they silently store advertising and other tracking cookies and data on people’s phones. No consent for this is sought by Google, and there is no way to block these cookies. ”

“This study is a wake-up call to the Irish Data Protection Commissioner, to enforce EU data protection rules and start properly protecting Irish and EU users of Android phones.”

The main findings of the study are as follows:

1) Advertising analytics cookies, links to track clicks/views of adverts, and device identifiers associated with advertising are downloaded and stored on the handset. 

2) Tracking cookies are downloaded and stored by the Google Play store app and then transmitted to Google servers alongside analytics data reporting user interactions with the Play store app (searches, page views etc). 

3) The Google Android ID is sent by Google servers and stored to the handset by Google Play Services. Previous studies have shown this identifier is sent in many transmissions made by Google Play Services and the Google Play store to Google servers.  It acts as a persistent device and user identifier, which can only be changed by factory resetting the phone. 

4) Analytics cookies used for A/B testing of changes to Google apps are downloaded and stored on the handset by Google Play Services and then transmitted alongside app telemetry data to Google servers. 

5) Multiple other cookies and identifiers which can act to uniquely identify the handset and/or user are also downloaded and stored on the handset.

ENDS 

Media Contact:

Catherine O’Mahony | Media Relations | catherine.omahony@tcd.ie