Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and

Android Mobile OS Snooping By Samsung,

Xiaomi, Huawei and Realme Handsets

CONTENT OF NETWORK CONNECTIONS

Note: To save space and reduce repetition, common Google

Play Services and Google Play store connections are not

included, e.g.

1) https://play.googleapis.com/vn/log/batch

2) https://play.googleapis.com/play/log

3) https://www.googleapis.com/experimentsandconﬁgs

4) https://www.googleapis.com/androidantiabuse

and connections made by Chrome e.g.

1) https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch

that are already documented elsewhere.

1st October 2021

I. SAMSUNG

Summary:

Samsung system app endpoints: Identiﬁers Sent:

gos-api.gos-gsp.io uuid

api.omc.samsungdm.com hardware serial number, Samsung

Consumer ID, Firebase IDs/tokens

dir-apis.samsungdm.com IMEIs, hardware serial number,

Samsung Consumer ID

api.gras.samsungdm.com hardware serial number, regID

capi.samsungcloud.com device id, authorization value

pinning-02.secb2b.com deviceid

eu-kaf.samsungknox.com hashes of IMEIs, hash of hardware

serial number

www.ospserver.net IMEIs, Samsung Consumer ID,

hardware serial number, mobile

network cell ID/location

fota-cloud-dn.ospserver.net IMEI, Firebase ID

sspapi-prd.samsungrs.com GAID

dms.ospserver.net IMEIs

sdk.pushmessage.samsung.com IMEI, Firebase ID

samsung-

directory.edge.hiyaapi.com

GAID, other IDs

us-api.mcsvc.samsung.com x-smcs-did

us-rd.mcsvc.samsung.com sid

ie-odc.samsungapps.com IMEI

Third-party (non-Google) system

app endpoints:

Identiﬁers Sent:

sun-apps.sfr.com Firebase ID

mobile.pipe.aria.microsoft.com secure settings android id,

DeviceInfo.SDKUid, cai.device.id,

TenantId

conﬁg.edge.skype.com secure settings android id

app.adjust.com GAID, android uuid

www.linkedin.com bcookie, bscookie, lidc, trackingId

samsung-directory.edge.hiyaapi.

com

GAID X-Hiy-Installation-User-ID,

hin, hui

Identiﬁers observed to persist

across factory reset

IMEIs (including hashes of the

IMEIs), hardware serial number,

Samsung Consumer ID

TABLE I

SUMMARY OF IDENTIFIERS SENT IN SYSTEM APP CONNECTIONS

(EXCLUDING GOOGLE SYSTEM APPS).

1) The handset sends the following device identiﬁers to

api.omc.samsungdm.com and dir-apis.samsungdm.com in

a way that links them all together: hardware serial num-

bers (both ro.serialno and ril.serialnumber in getProp),

IMEI of both SIM slots and Samsung device/consumer

id. In addition a Google Firebase authentication token

is sent to api.omc.samsungdm.com, allowing linkage of

data collection by Samsung and Google Firebase. A

connection to dir-apis.samsungdm.com sends cell tower

identiﬁers (LAC and UCID) that reveal the approximate

device location.

2) Details of installed software are sent to os-api.gos-gsp.io/,

which appears to be a Samsung domain associated with

a software conﬁguration service (gos may be an acronym

for “game optimisation service”). The service returns

app settings such as allow more heat, boost launch,

enableCpuMinFreqControl).

3) Device details, including the hardware serial number,

are sent to api.gras.samsungdm.com. Also sent is a

Google Firebase authentication token associated with

com.samsung.android.sdm.conﬁg.

Telemetry

api.omc.samsungdm.com logs SIM insertion

samsung-directory.edge.hiyaapi.

com

logs making/receiving phone call

sun-apps.sfr.com time of last reboot,

wakeup

success, wakeup error,

error stack traces, whether

SIM inserted, duration app

com.altice.android.myapps has

been active

System apps com.wssyncmldm,

com.samsung.android.

samsungpass,com.samsung.

android.authfw,com.altice.android.

myapps,com.samsung.android.

bixby.agent,com.samsung.android.

game.gamehome,com.sec.android.

app.samsungapps,com.sfr.android.

sfrjeux

use Google Analytics to log user

interaction, including screens/ac-

tivities viewed plus duration and

timestamp.

Device Data

gos-api.gos-gsp.io details of installed apps

www.ospserver.net, dms.ospserver.

net

device details

api.omc.samsungdm.com,

dir-apis.samsungdm.com,

api.gras.samsungdm.com,

ie-odc.samsungapps.com,

sdk.pushmessage.samsung.com

device details

sspapi-prd.samsungrs.com, us-api.

mcsvc.samsung.com

device model

samsung-directory.edge.hiyaapi.

com

installed apps

sun-apps.sfr.com device details

mobile.pipe.aria.microsoft.com,

vortex.data.microsoft.com

device details, details of installed

Microsoft apps

app.adjust.com device details

www.linkedin.com device details

TABLE II

SUMMARY OF DATA SENT IN SYSTEM APP CONNECTIONS (EXCLUDING

GOOGLE SYSTEM APPS).

4) Device and app identiﬁers are sent to capi.samsungcloud.

com. This appears to be associated with the Samsung

Cloud service.

5) What appear to be hashes of the IMEIs of both SIM

slots and of the hardware serial number are sent to

eu-kaf.samsungknox.com, gslb.secb2b.com/KnoxGSLB/

v2/lookup/knoxguard. Binary messages are also sent to

eu-kaf.samsungknox.com, the contents of which are un-

clear (they base64 decode to binary in what seems to be

a proprietary format). These connections appears to be

associated with the Samsung Knox service.

6) The IMEI’s of both SIM slots, the hardware serial number

and the Samsung device/consumer id are sent to www.

ospserver.net/, which appears to be a Samsung server.

Cell tower identiﬁers are sent that reveal the approximate

device location. The Firebase authentication token for app

com.wssyncmldm is also sent, allowing linkage of data

collection by Samsung and Google Firebase.

7) The Google adid/rdid advertising id is sent to spapi-prd.

samsungrs.com/AdConﬁguration. The connection seems

to associated with the app com.samsung.android.

dynamiclock.

8) Other Samsung servers to which data is sent in-

clude: fota-apis.samsungdm.com, ota-cloud-dn.ospserver.

net, hub-odc.samsungapps.com/, as.samsungapps.com/,

dms.ospserver.net, sdk.pushmessage.samsung.com.

9) Samsung system apps that log handset activity using

Google Analytics include: com.samsung.android.app.

omcagent,com.samsung.android.app.simplesharing,com.

samsung.android.authfw,com.samsung.android.bixby.

agent,com.samsung.android.kgclient,com.samsung.

android.mobileservice,com.samsung.android.rubin.

app,com.samsung.android.themestore,com.sec.android.

app.billing,com.sec.android.app.samsungapps,com.

wssyncmld,com.samsung.android.game.gamehome. The

messages sent to Google/Firebase Analytics are encoded

as protobufs. We decoded these by reconstructing the

protobuf deﬁnition from the decompiled Firebase code.

Examples are shown below, but the messages log user

interaction, including screens/activities viewed plus

duration and timestamp.

10) When a SIM is ﬁrst inserted into the handset follow-

ing a factory reset a connection is made to api.omc.

samsungdm.com/v5/api/device/simChange that sends the

hardware serial number, Samsung device/consumer id,

the mobile operator MNC/MCC identiﬁers and the the

operator name. In addition SIM details are sent to Google

as observed in previous studies, see “Mobile Handset

Privacy: Measuring The Data iOS and Android Send to

Apple And Google”, Proc Securecomm 2021.

11) When browsing the Settings app connections are made

to ie-odc.samsungapps.com, auth2.samsungosp.com,

us-cd-gpp.mcsvc.samsung.com, us-rd.mcsvc.samsung.

com. The com.samsung.android.themestore and com.

samsung.android.samsungpass apps send telemetry to

Google Analytics and com.samsung.android.samsungpass

calls ﬁrebaseremoteconﬁg.googleapis.com. The

Google adid/rdid advertising identiﬁer is sent to

us-api.mcsvc.samsung.com/.

Pre-installed Non-Samsung System Apps

1) Mobile Operator SFR/Altice. The particular handset used

in these measurements was bought secondhand online

and appears to originally be from French mobile oper-

ator SFR/Altice France. The pre-installed system apps

include com.sfr.android.sfrjeux and com.altice.android.

myapps. Both make use of Google Analytics and custom

telemetry is also sent to sun-apps.sfr.com/reportusage.

The app com.sfr.android.sfrjeux and com.altice.android.

myapps apps send device details and a Firebase authen-

tication token to https://sun-apps.sfr.com (so linking data

collection by SFR/Altice and Google Firebase) as well as

what appears to be a persistent device identiﬁer. It also

appears to attempt to transmit the Wiﬁ SSID. The app

com.altice.android.myapps additionally uses the Firebase

Crashlytics and Remote Conﬁguration services.

Note that neither of apps were ever opened on the device,

and no popup or request to send data was observed.

2) Google. The following pre-installed Google system apps

were observed to send data to Google.

a) Google Play Services and Google Play store make

many connections to Google servers. These share per-

sistent device and user identiﬁers with Google includ-

ing the device hardware serial number, SIM IMEI,

Wiﬁ MAC address, SIM IMSI and phone number,

user email (when logged in). A substantial quantity

of data is sent, in particular, to play.googleapis.com/

vn/log/batch, play.googleapis.com/play/log and www.

googleapis.com/experimentsandconﬁgs. This is consis-

tent with other recent measurement studes, see “Mo-

bile Handset Privacy: Measuring The Data iOS and

Android Send to Apple And Google”, Proc SECURE-

COM 2021.

b) Google Youtube sends device data, including persistent

identiﬁers and the Google adid/rdid advertising iden-

tiﬁer and the AndroidID, to www.googleadservices.

com and youtubei.googleapis.com. Youtube also uses

Google Analytics to log events, and presumably also

user interaction.

c) Connections are periodically made to www.google.

com/complete/search. These are associated with the

searchbar embedded in the handset UI and send a

cookie which acts to link these connections to per-

sistent device and user identiﬁers. Less frequent con-

nections are made to www.google.com/m/voice-search/

down that contain what appears to be a persistent

device identiﬁer.

d) The com.google.android.googlequicksearchbox app is

associated with the search bar embedded in the handset

UI. It sends telemetry data to Google Analytics that

logs user interaction (screens/activities viewed plus

duration and timestamp, etc).

e) When logged in to a Google account, connections

are made to mail.google.com/mail/ads, inbox.google.

com/sync and www.googleapis.com/calendar that send

identiﬁers linked to the device and user account. Note

that account login was carried out via the Google Play

app only. Syncing of gmail, contacts, calendar took

place without the user being asked or opting in.

f) When logged in to a Google account, connections

are also made to instantmessaging-pa.googleapis.com,

people-pa.googleapis.com, footprints-pa.googleapis.

com. It’s not clear what the purpose of these

connections is or what data is sent.

g) When location is enabled additional connections

are made to lamssettings-pa.googleapis.com

and mobilenetworkscoring-pa.googleapis.

com/v1/GetWiﬁQuality. The connection to

mobilenetworkscoring-pa.googleapis.com/v1/

GetWiﬁQuality hashes of the Wiﬁ MAC addresses

of nearby access points, used to query a network

quality database to determine the best Wiﬁ network to

connect to.

h) Connections are made to www.gstatic.com/commerce/

wallet/ but were not observed to contain persistent

identiﬁers.

i) Google Chrome makes connections to Google servers.

These connections are consistent with previously doc-

umented behaviour, see “Web Browser Privacy: What

Do Browsers Say When They Phone Home?”, IEEE

Access. DOI 10.1109/ACCESS.2021.3065243.

Note that none of these apps were opened on the device,

and no popup or request to send data was observed.

3) Microsoft. The pre-installed Microsoft system apps con-

nect to mobile.pipe.aria.microsoft.com and app.adjust.

com (which appears to be a third-party analytics

company, their website says “Adjust offers a num-

ber of analytics tools designed to give you the

deepest insight into your user interaction, your mar-

keting channels, and your campaign performance”).

The data sent to mobile.pipe.aria.microsoft.com in-

cludes device hardware and software details to-

gether with persistent device identiﬁers DeviceInfo.Id,

DeviceInfo.SDKUid, cai.device.id and TenantId. The

document https://docs.microsoft.com/en-us/deployofﬁce/

privacy/required-diagnostic-data states:

a) DeviceInfo.Id - A unique device identiﬁer to help us

detect device-speciﬁc issues

b) DeviceInfo.SDKUid - The device unique identiﬁer

(similar to DeviceInfo.Id)

The data sent to app.adjust.com includes device details,

the Google adid/rdid advertising id of the handset and

what appears to be a persistent device identiﬁer that acts

to link connections together. Connections are also made to

conﬁg.edge.skype.com, skyapi.live.net, oneclient.sfx.ms.

Note that no Microsoft apps were ever opened on the de-

vice, and no popup or request to send data was observed.

4) LinkedIn. A ﬁrst connection is made to www.linkedin.

com/mob/tracking that responds by setting bcookie,

bscookie and lidc cookies. The linkedin document https:

//www.linkedin.com/legal/l/cookie-table says:

a) bcookie: Browser Identiﬁer cookie to uniquely identify

devices accessing LinkedIn to detect abuse on the

platform

b) bscookie: Used for saving the state of 2FA of a logged

in user

c) lidc: To optimize data center selection

These cookies are resent in later requests to www.

linkedin.com/li/track, along with trackingId values.

5) Hiya. Connections are made to samsung-directory.edge.

hiyaapi.com/v3/trackevents. This appears to be associated

with a third-party call management service, with con-

nections made when making/receiving a call. Data sent

includes the Google adid/rdid advertising id, an X-Hiy-

Installation-User-ID and an authorization token that when

decoded contains hin and hui values that appear to be

persistent device identiﬁers.

6) Google Analytics. Several pre-installed system apps

log handset activity using Google Firebase Analytics.

These include: com.google.android.apps.maps,com.

microsoft.skydrive,com.android.vending,com.google.

android.googlequicksearchbox,com.sfr.android.sfrjeux,

com.altice.android.myapps

A. Selected Connections During Startup After Factory Reset

HEAD http://www.google.com/

<<< HTTP 200, 0.00B

Set-Cookie: NID=212=X FV28cwdxhIedC a...NXdU

Almost the ﬁrst connection following the factory reset (earlier connections

are e.g. to http://connectivitycheck.gstatic.com/ generate 204 to check for

network connectivity) sets a Google cookie.

GET http://gllto1.glpals.com/4day/v5/latest/lto2.dat

Accept:

, application/vnd.wap.mms−message, application/vnd.wap.sic

x−wap−proﬁle: http://www.openmobilealliance.org/tech/proﬁles/

UAPROF/ccppschema−20021212#

<<< HTTP 200, 168.30KB

This appears to be associated with Broadcom Assisted-GPS.

GET https://conﬁg.edge.skype.com/conﬁg/v1/com.microsoft.skydrive/5.40.5?

clientId=cff4bd4ddb34000b

<<< HTTP 200, 8.35KB

First connection to a Microsoft server, early in the startup process. This

connection sends a clientId value (the value is the secure settings

android id) that is also sent in later connections as a ”DeviceInfo.Id” value

and acts as a device identiﬁer.

GET https://app−measurement.com/conﬁg/app/1%3A126578593765%3

Aandroid%3Ab2244cc320147605?app

instance id=

d4b47dc0a35001516161c1141fed695a&platform=android&gmp version

=19629

<<< HTTP 200, 428.00B

First connection to Google Analytics. Based on the app instance id value

this connection is associated with the app, which seems to associated with

the mobile operator Altice

POST https://www.googleapis.com/androidantiabuse/v1/x/create?alt=PROTO

&key=AIzaSyBof...wzOIz−lTI

Headers

User−Agent: DroidGuard/19629037

First of a sequence of connections to Google’s DroidGuard/Safety Net

service. Sends device details to Google, including the hardware serial

number

GET https://oneclient.sfx.ms/mobile/ts conﬁguration.jwt

<<< HTTP 200, 15.34KB

The response to this request is a jwt encoded message that contains

certiﬁcate details for skydrive, skydrive certiﬁcate chain,

excel word powerpoint outlook lync, skype, wunderlist, shiftr df, cortana,

cortana chain, launcher, launcher chain, powerapp, bing chain, cheshire,

cheshire chain, bingapps, bingapps chain, yammer, yammer chain, etc

POST https://hub−odc.samsungapps.com/ods.as

<?xml version=”1.0” encoding=”UTF−8” standalone=”yes”?><

SamsungProtocol networkType=”0” deviceModel=”SM−G960F TM” mcc

=”” mnc=”0” csc=”SFR” odcVersion=”5.1.02.305” odcType=”02”

OTFVersion=”9000000” openApiVersion=”29” lang=”EN” version=”6.3”

version2=”3” ﬁlter=”1” sessionId=”” ><request id=”772300” name=”

countrySearchExForTheme” numParam=”3” transactionId

=”307043819000”><param name=”latestCountryCode”></param><

param name=”whoAmI”>odc</param><param name=”

autoSelfUpgradeYN”>Y</param></request></SamsungProtocol>

<<< HTTP 200, 1.19KB

Set-Cookie: JSESSIONID=rSqFFFTz6P...k7k.s04w011odc03; path=/,

SCOUTER=x76fqjdog2gp7a

This is the ﬁrst connection to Samsung. It sends device details and the

response sets a cookie and sends conﬁg information presumably based on

geolocation of the handset IP address (namely that the country is IRL,

currency is euro etc). The handset as no SIM installed here.

POST https://app−measurement.com/a

POST body decoded as protobuf:

<...>

8: ”android”

9: ”10”

10: ”SM−G960F”

11: ”fr−fr”

12: 60

13: ”manual install”

14: ”com.altice.android.myapps”

16: ”1.5.4”

17: 15300

18: 19629

19: ”cfb8a087-1c38-4bb9-bc15-5f51001b8df1”

20: 0

21: ”d4b47dc0a35001516161c1141fed695a”

22: 8442310499665198199

23: 1

25: ”1:126578593765:android:b2244cc320147605”

28: 1

30: ”egHfAlJvXwI”

31: 1543000

35: 1585956163239078

<...>

System app com.altice.android.myapps registering with Google Analytics.

The value cfb8a087-1c38-4bb9-bc15-5f51001b8df1 is the Google rdid/adid

advertising identiﬁer, The d4b47dc0a35001516161c1141fed695a value is the

app

instance id and the egHfAlJvXwI value is later sent as the X-appid

header. Both seem to be persistent app instance identiﬁers.

Similar Google Analytics connections are made by a number of other

pre-installed system apps, including: com.google.android.apps.maps,

com.microsoft.skydrive, com.samsung.android.app.omcagent,

com.samsung.android.app.simplesharing, com.samsung.android.authfw,

com.samsung.android.bixby.agent, com.samsung.android.kgclient,

com.samsung.android.mobileservice, com.samsung.android.rubin.app,

com.samsung.android.themestore, com.sec.android.app.billing,

com.sec.android.app.samsungapps, com.sfr.android.sfrjeux, com.wssyncmld,

com.samsung.android.game.gamehome, com.android.vending,

om.google.android.googlequicksearchbox, com.altice.android.myapps

POST https://android.googleapis.com/checkin

This checkin connection as been documented elsewhere. It links together

several device identiﬁers including the IMEI, hardware serial number and

Wiﬁ MAC address, and sends extensive details of the device hardware and

software to Google.

POST https://mobile.pipe.aria.microsoft.com/Collector/3.0/

Content−Type: application/bond−compact−binary

POST body:

\xd8\xfa,\x83L.:j@yUR\x93\xd5\<...>

Sends telemetry to Microsoft. The Bond Compact Binary format is a

Microsoft data serialisation format. The schema is needed to decode Bond

Compact Binary data. Bond works by compiling the schema to Java code,

and so we decompiled the app, manually reconstructed the schema from the

decompiled code and then compiled a C++ programme based on this

reconstructed schema using Microsoft’s Bond compiler to yield a decoder

that can deserialise the observed POST payload data, then re-serialise to

json so that its human readable. The Bond documentation is unhelpful, to

say the least, so this was quite a painful process. After decoding we

observed three main types of event payload. One is act

stats, e.g.

{”DataPackages”:[],”RequestRetryCount”:0,”TokenToDataPackagesMap

”:[”7434683b182f4b49bc52295c8152518d−e1d93d3d−7e05−4dd3−94d4−

eb44bc27b601−7301”,[{”Source”:”act default source”,”Ids”:[],”

DataPackageId”:”39f999f3−3773−4a6c−919f−03088dfb241c”,”Timestamp

”:1617194704207,”SchemaVersion”:1,”Records”:[{”Id”:”b4bf7086

−3261−4832−a234−bc0f2c11c76d”,”Timestamp”:1617185943946,”Type”:”

custom”,”EventType”:”act stats”,”Extension”:[”AppInfo.Language”,”en−GB

”,”AppInfo.Version”,”5.40.5”,”DeviceInfo.Id”,”cff4bd4ddb34000b”,”

DeviceInfo.Make”,”samsung”,”DeviceInfo.Model”,”SM−G960F”,”DeviceInfo

.NetworkCost”,”Unknown”,”DeviceInfo.NetworkType”,”Unknown”,”

DeviceInfo.OsBuild”,”G960FXXU8DTC5”,”DeviceInfo.OsName”,”Android

”,”DeviceInfo.OsVersion”,”10”,”DeviceInfo.SDKUid”,”dac15d07-c41e-4121-

b672-c46f1496da7c”,”EventInfo.InitId”,”9460f00b−7ef7−4e35−90b4−

c628d4564b34”,”EventInfo.Name”,”act stats”,”EventInfo.SdkVersion”,”ACT

−Android−Java−no−3.0.12.0−ECS”,”EventInfo.Sequence”,”1”,”EventInfo.

Source”,”act default source”,”EventInfo.Time”,”2021−03−31T10:19:03.946Z

”,”S e”,”ECS”,”S j”,”no”,”S k”,”Java”,”S p”,”Android”,”S t”,”ACT”,”S v

”,”3.0.12.0”,”TenantId”,”8ce6eedc33864b2f856e8ee4f9ec4190”,”UserInfo.

Language”,”en−GB”,”UserInfo.TimeZone”,”+01:00”,”eventpriority”,”High”,”

tr p”,”r t”],”RecordType”:1,”PIIExtensions”:[],”TypedExtensionBoolean”:[],”

TypedExtensionDateTime”:[],”TypedExtensionInt64”:[”inol”,2,”n inol”,2,”

normal priority records received count”,2,”records received count”,2,”t h

”,1,”t l”,4,”t n”,2,”t p”,2],”TypedExtensionDouble”:[],”TypedExtensionGuid

”:[],”CustomerContentExtensions”:[]}]}]]}

This contains a number of identiﬁers, sends device details and count stats

e.g. records received count, normal priority records received count. The

DeviceInfo.Id value cff4bd4ddb34000b acts as a persistent device identiﬁer

(it is the secure settings android id value and is also sent in a connection

to conﬁg.edge.skype.com). Also theDeviceInfo.SDKUid value

dac15d07-c41e-4121-b672-c46f1496da7ca. The document https:

//docs.microsoft.com/en-us/deployofﬁce/privacy/required-diagnostic-data

states:

1) DeviceInfo.Id - A unique device identiﬁer to help us detect

device-speciﬁc issues

2) DeviceInfo.SDKUid - The device unique identiﬁer (similar to

DeviceInfo.Id)

Also a TenantId value.

A second type of event logged is qosmobile, e.g.

{”DataPackages”:[],”RequestRetryCount”:0,”TokenToDataPackagesMap”:[”8

ce6eedc33864b2f856e8ee4f9ec4190−e3bcafbe−1bc4−440c−80a7−7

e09c0a2d3e7−7331”,[{”Source”:”act default source”,”Ids”:[],”

DataPackageId”:”5086c0b7−2924−4fd9−8e8e−c9978eb80289”,”Timestamp

”:1617194706179,”SchemaVersion”:1,”Records”:[{”Id”:”b052b531

−3361−4977−b1e7−5dd7a34f6bc7”,”Timestamp”:1617185884504,”Type”:”

custom”,”EventType”:”qosmobile”,”Extension”:[”AppInfo.Id”,”

OneDrive Android”,”AppInfo.Language”,”en−GB”,”AppInfo.Version

”,”5.40.5”,”BuildType”,”Prod”,”DeviceInfo.Id”,”cff4bd4ddb34000b”,”

DeviceInfo.Make”,”samsung”,”DeviceInfo.Model”,”SM−G960F”,”DeviceInfo

.NetworkCost”,”Unknown”,”DeviceInfo.NetworkType”,”Unknown”,”

DeviceInfo.OsBuild”,”G960FXXU8DTC5”,”DeviceInfo.OsName”,”Android

”,”DeviceInfo.OsVersion”,”10”,”DeviceInfo.SDKUid”,”dac15d07-c41e-4121-

b672-c46f1496da7c”,”Environment”,”Unknown”,”EventCategory”,”

CrashReporting/PreviousProcessDetected”,”EventInfo.InitId”,”675f52a5−4ecf

−471a−b816−777527e4bda0”,”EventInfo.Name”,”qosmobile”,”EventInfo.

SdkVersion”,”ACT−Android−Java−no−3.0.12.0−ECS”,”EventInfo.Sequence

”,”1”,”EventInfo.Source”,”act default source”,”EventInfo.Time

”,”2021−03−31T10:18:04.504Z”,”EventName”,”QoS/CrashReporting/

PreviousProcessDetected”,”EventSchemaVersion”,”20”,”EventType”,”QoS”,”

IsIntentional”,”0”,”Name”,”QoS/CrashReporting/PreviousProcessDetected”,”

ResultCode”,”CrashReporting/PreviousProcessDetected”,”ResultType”,”

Success”,”SampleRate”,”1”,”UserAgent”,”OneDrive for Android/5.40.5 (

Android/10; en−GB; samsung/SM−G960F)”,”UserInfo.Language”,”en−GB

”,”UserInfo.TimeZone”,”+01:00”,”ai.device.id”,”91750293-82bd-41bd-ba5b-

8a9b7f0623a4”,”eventpriority”,”Normal”],”RecordType”:1,”PIIExtensions

”:[],”TypedExtensionBoolean”:[],”TypedExtensionDateTime”:[],”

TypedExtensionInt64”:[],”TypedExtensionDouble”:[],”TypedExtensionGuid

”:[],”CustomerContentExtensions”:[]},{”Id”:”e9cbd963−01c1−4b0c−9277−

fc16973b2c42”,”Timestamp”:1617185884686,”Type”:”custom”,”EventType

”:”usagemobile”,”Extension”:[”AccessibilityIsCaptionsEnabled”,”false”,”

AccessibilityIsColorInversionEnabled”,”Unknown”,”AccessibilityIsEnabled

”,”false”,”AccessibilityIsHighContrastTextEnabled”,”false”,”

AccountOverQuotaDialog”,”true”,”AccountType”,”Unknown”,”AddToMru

”,”−1”,”Adjust”,”true”,”AllPhotosExcludeNoThumbnailFile”,”true”,”

AllPhotosInitialCountLimit”,”true”,”AllPhotosProjection”,”true”,”

AllPhotosSuperZoom”,”true”,”AppInfo.Id”,”OneDrive Android”,”AppInfo.

Language”,”en−GB”,”AppInfo.Version”,”5.40.5”,”Aria”,”true”,”Audio”,”false

”,”AuthenticatorIsTokenBroker”,”false”,”AutoUploadEnabled”,”false”,”

Autoplay”,”false”,”BlockIAPForAmazon”,”true”,”BuildType”,”Prod”,”

BusinessAccountOnPremise”,”true”,”CSLFolder”,”true”,”

CameraBackupExperiments”,”false”,”CameraBackupQosTelemetry”,”true”,”

CameraRollNestedFolderBusiness”,”true”,”

CameraRollNestedFolderConsumer”,”false”,”

CameraRollNestedFolderFetchTimeout”,”300000”,”

CameraRollNestedFolderMonthOptionBusiness”,”false”,”

CameraRollNestedFolderMonthOptionConsumer”,”false”,”Camera Android

”,”true”,”ChargerSetting”,”false”,”CheckOfferEligible”,”false”,”

CheckUploadStatus”,”true”,”Chromecast Android”,”false”,”CleanUpSpace”,”

true”,”CloudAccounts Android”,”true”,”CrashReportToFabric2”,”false”,”

CrashReportToHockeyApp”,”true”,”DataLossPreventionPolicyTips”,”true”,”

DefaultPushNotiﬁcationAction”,”true”,”DetectXplatDbCorruption”,”true”,”

DeviceInfo.Id”,”cff4bd4ddb34000b”,”DeviceInfo.Make”,”samsung”,”

DeviceInfo.Model”,”SM−G960F”,”DeviceInfo.NetworkCost”,”Unknown”,”

DeviceInfo.NetworkType”,”Unknown”,”DeviceInfo.OsBuild”,”

G960FXXU8DTC5”,”DeviceInfo.OsName”,”Android”,”DeviceInfo.

OsVersion”,”10”,”DeviceInfo.SDKUid”,”dac15d07-c41e-4121-b672-

c46f1496da7c”,”DisableRoboAlbums”,”true”,”DiscoverView2”,”true”,”

DiscoverViewLocalNotiﬁcation”,”true”,”Dogfood”,”false”,”

ECSConﬁgTesting4”,”0”,”EditTagsV2 Android”,”false”,”

EnableCrashSearchStatistics”,”false”,”EnableCrashTelemetry”,”true”,”

EnableMRUv2 1”,”true”,”EnableRiverﬂowGrouping”,”true”,”

EnvironmentManagementState”,”NO MANAGEMENT”,”EventInfo.InitId

”,”675f52a5−4ecf−471a−b816−777527e4bda0”,”EventInfo.Name”,”

usagemobile”,”EventInfo.SdkVersion”,”ACT−Android−Java−no−3.0.12.0−

ECS”,”EventInfo.Sequence”,”2”,”EventInfo.Source”,”act default source”,”

EventInfo.Time”,”2021−03−31T10:18:04.686Z”,”EventName”,”Legacy/

AppState/ProcessStart”,”EventSampleList”,”Legacy/Auth/TokenRefresh”,”

EventSchemaVersion”,”20”,”EventType”,”Legacy”,”FastScroller”,”true”,”

FileExtensionsSetting”,”true”,”FilesRepair Android”,”true”,”

FilesUploadSection”,”false”,”Freemium”,”true”,”

GooglePlayServicesAvailable”,”true”,”HeaderSwitchSort”,”true”,”

IapRecoveryManager”,”true”,”InAppPurchases Android”,”true”,”

InstalledOnSdCard”,”false”,”IntuneLogging”,”true”,”IsDataCleared”,”false”,”

IsIntentional”,”0”,”JoinOpenPublicBeta”,”true”,”LGOffer”,”false”,”

LegacyEventName”,”AppState/ProcessStart”,”LensSDKBulkMode”,”false”,”

LensSDKCropMagniﬁer”,”true”,”LensSDKInk”,”true”,”LensSDKPageLimit

”,”10”,”LensSDKPhotoModeTheme”,”true”,”LensSDKScan”,”true”,”

LensSDKSnapToEdge”,”true”,”LensSDKTapToSelect”,”true”,”

LensSDKTelemetry”,”false”,”LensSDKTextStickers”,”true”,”

LocalFolderCovers”,”false”,”LocalPhotoVideoStreams”,”1”,”LogsToFabric”,”

false”,”LoopDetection”,”true”,”MAMAllowedAccounts”,”true”,”

MarqueeSelect”,”true”,”MassDeletePushNotiﬁcationAction”,”1”,”

MediaTAScanSetMetadata”,”true”,”MediaTAScanVault”,”true”,”

MediaTAScanWithClientToken”,”false”,”MediaTAScan v4”,”true”,”

MobileNetworkSetting”,”settings wiﬁ only”,”MultiPageDocScan”,”true”,”

MultiPageDocScanODB”,”true”,”Name”,”Legacy/AppState/ProcessStart”,”

NativeCrashReportToFabric”,”false”,”NetworkChoice”,”Unset”,”

NewExperienceForBeta”,”true”,”NewOdcSaveAs”,”true”,”

NewSamsungFlow v2”,”0”,”NewUiAB”,”1”,”NewUiSurvey”,”false”,”

NotiﬁcationChannels”,”true”,”NotiﬁcationsBlocked”,”false”,”

NotiﬁcationsHistory Android”,”true”,”NotiﬁcationsSettings”,”true”,”

O365ChunkUploading”,”true”,”ODBCameraBackup”,”true”,”

ODBEmbeddedViewer v1”,”true”,”ODBPhotosView”,”true”,”

ODBRemoveFromSharedList”,”false”,”ODCExpirationLinks”,”true”,”

OdbDocCreation”,”false”,”OdbFreUpsell”,”false”,”OdbGetChangesForShared

”,”true”,”OdbNotiﬁcations”,”true”,”OdbSharingDialog”,”true”,”

OdbVRoomSharedWithMe2”,”true”,”OdcBundleSharing”,”false”,”

OdcHevcStreaming2”,”true”,”OdcSharingDialog”,”false”,”

OdcSharingGoPremium”,”true”,”OdcSharingLearnMore”,”true”,”

OdcWebSharingDialog”,”−1”,”OfferExpirationNotiﬁcations”,”true”,”

OfﬁceLensScanV2”,”true”,”OfﬁcePdfPreview”,”true”,”OfﬁcePdfPreviewOdb

”,”true”,”OfﬁceUpsellSamsungPromotion”,”false”,”OfﬂineFoldersBusiness”,”

true”,”OfﬂineFoldersPersonal”,”true”,”OfﬂineNotiﬁcation Android”,”true”,”

OnBoardingUI”,”false”,”OnThisDay”,”false”,”OneDriveApiChunkFileUpload

”,”false”,”OneDriveApiFileDownload”,”true”,”OneDriveApiSingleFileUpload

”,”true”,”OneRmCampaigns”,”true”,”OutlookUpsellSamsungPromotionAB

”,”0”,”PDFLocalNotiﬁcation”,”true”,”PdfCrossFade”,”true”,”PeopleCard”,”

true”,”PhotosSearch”,”true”,”PhotosUploadSection”,”true”,”PowerLift”,”true

”,”PreVersion1RestoreAccessToken”,”false”,”

PreVersion1RestoreAccessTokenUrl”,”https://onedrive.live.com/?v=restore”,”

PreinstallManufacturer”,”Samsung”,”ProjectZeroUpsell”,”false”,”

PurchaseSuccess2”,”−1”,”QuotaPushNotiﬁcationAction”,”true”,”

RansomwareHandling”,”true”,”RecoverFromEmptyOwnerCid”,”true”,”

RefreshUIWhenOnePageSynced”,”true”,”

RemoveSecondCameraBackupDialog”,”true”,”RepositioningExperiment

”,”−1”,”RestoreOneDriveEnableCookies”,”true”,”RestoreOneDriveEntryPoint

”,”true”,”ResyncWhenMetadataCorrupted2”,”false”,”

RetryWhenMediaTAServiceError”,”true”,”SampleRate”,”1”,”

SamplingNonReportingDevice”,”true”,”SamsungAllowlistedRamp”,”

testRamp”,”SamsungDeal”,”true”,”SamsungOfferId”,”ProjectZeroPointOne”,”

SamsungOfferUpsellExperimentEvent”,”NA”,”SamsungOfferYears”,”1”,”

SamsungStorageAmount”,”100”,”Scan

Android”,”true”,”SendFeedback”,”

true”,”ServiceDrivenPositioning”,”true”,”ShakeToSendFeedback”,”true”,”

ShareCustomization Android”,”true”,”SharingLink ODB Android”,”true”,”

ShowFileExtensionsSetting”,”false”,”ShowReauthInvalidToken”,”true”,”

SkyDriveViewModelMarch”,”true”,”Snackbar”,”true”,”SoloAnnual”,”false”,”

SonyOffer”,”false”,”SortExtensions”,”true”,”StreamingUploadWriteBack”,”

false”,”SuggestAnIdea”,”false”,”SwitchToModernRateDialog”,”true”,”

SyncAlternatePhotoFolders”,”true”,”SyncSignalOverError”,”false”,”

Team Sites”,”true”,”ThrottleLoops”,”true”,”

ThumbnailAndStreamingTelemetry”,”true”,”ThumbnailLoadingSamplingRate

”,”500”,”TitleBarSharingIcon”,”1”,”TryImageToDocWhenMediaTAFailed”,”

true”,”UpsellSharepoint”,”false”,”UseOneDriveApi”,”false”,”

UseUserCidForStreamCacheFolder”,”true”,”UserAgent”,”OneDrive for

Android/5.40.5 (Android/10; en−GB; samsung/SM−G960F)”,”

UserEngagementState”,”LOW”,”UserInfo.Language”,”en−GB”,”UserInfo.

TimeZone”,”+01:00”,”UserQuotaStateMessaging”,”true”,”VaultEnabled V2

”,”true”,”VaultFixTokenExpirationTime”,”true”,”VideoPlayerUseHLS”,”true

”,”VideoUploadSetting”,”true”,”VroomVideoStreaming”,”true”,”WORKSITE

”,”true”,”Week1RetentionNotiﬁcation2”,”true”,”

Week1RetentionNotiﬁcationExperiment”,”25”,”WhiteboardSharing”,”true”,”

WriteBackSupport”,”true”,”XplatDetectInvalidToken”,”true”,”ai.device.id”,”

91750293-82bd-41bd-ba5b-8a9b7f0623a4”,”ariaAIDataValidate”,”9c7bb3cb

−2d3b−4965−89fa−00b38c31a841”,”eventpriority”,”Normal”,”telemetryType

”,”customEvent”],”RecordType”:1,”PIIExtensions”:[],”

TypedExtensionBoolean”:[],”TypedExtensionDateTime”:[],”

TypedExtensionInt64”:[],”TypedExtensionDouble”:[],”TypedExtensionGuid

”:[],”CustomerContentExtensions”:[]},{”Id”:”0d223013−86e2−43fd−8904−

bb68e129d8fe”,”Timestamp”:1617194703872,”Type”:”custom”,”EventType

”:”qosmobile”,”Extension”:[”AppInfo.Id”,”OneDrive Android”,”AppInfo.

Language”,”en−GB”,”AppInfo.Version”,”5.40.5”,”BuildType”,”Prod”,”

DeviceInfo.Id”,”cff4bd4ddb34000b”,”DeviceInfo.Make”,”samsung”,”

DeviceInfo.Model”,”SM−G960F”,”DeviceInfo.NetworkCost”,”Unknown”,”

DeviceInfo.NetworkType”,”Wiﬁ”,”DeviceInfo.OsBuild”,”G960FXXU8DTC5

”,”DeviceInfo.OsName”,”Android”,”DeviceInfo.OsVersion”,”10”,”DeviceInfo

.SDKUid”,”dac15d07−c41e−4121−b672−c46f1496da7c”,”Environment”,”

Unknown”,”EventCategory”,”CrashReporting/PreviousProcessDetected”,”

EventInfo.InitId”,”b21ec774−7477−4be5−a971−fd031e14efd8”,”EventInfo.

Name”,”qosmobile”,”EventInfo.SdkVersion”,”ACT−Android−Java−no

−3.0.12.0−ECS”,”EventInfo.Sequence”,”1”,”EventInfo.Source”,”

act default source”,”EventInfo.Time”,”2021−03−31T12:45:03.872Z”,”

EventName”,”QoS/CrashReporting/PreviousProcessDetected”,”

EventSchemaVersion”,”20”,”EventType”,”QoS”,”IsIntentional”,”0”,”Name”,”

QoS/CrashReporting/PreviousProcessDetected”,”ResultCode”,”

CrashReporting/PreviousProcessDetected”,”ResultType”,”Success”,”

SampleRate”,”1”,”UserAgent”,”OneDrive for Android/5.40.5 (Android/10;

en−GB; samsung/SM−G960F)”,”UserInfo.Language”,”en−GB”,”UserInfo.

TimeZone”,”+01:00”,”ai.device.id”,”91750293-82bd-41bd-ba5b-

8a9b7f0623a4”,”eventpriority”,”Normal”],”RecordType”:1,”PIIExtensions

”:[],”TypedExtensionBoolean”:[],”TypedExtensionDateTime”:[],”

TypedExtensionInt64”:[],”TypedExtensionDouble”:[],”TypedExtensionGuid

”:[],”CustomerContentExtensions”:[]},{”Id”:”e0d3e236−9bab−49ea−84a9−

b28a572d77d6”,”Timestamp”:1617194704262,”Type”:”custom”,”EventType