Samsung says your personal data stays on your device, but the earbuds app demands access to your calendar, call history, contacts, and phone numbers. Earbuds don't need to read your call log or calendar to play music. Samsung's own Customisation Service admits it collects this data with no way to opt out. Samsung frames data collection as improving your experience, but they admit it may count as "selling" your data under privacy laws. They share your information with ad networks, marketing partners, and data brokers. They say biometric data stays on your phone — but the heart rate data from these earbuds goes to Samsung Health's cloud, not just your device.
What they claim: Samsung's privacy policy states biometric data "remains on your device and is not transferred to or accessed or obtained by Samsung." The Galaxy Wearable Privacy Notice says precise geolocation is only collected with explicit user permission.
What we found: The Galaxy Buds3 Pro Manager app (com.samsung.accessory.paranmgr) requests 36 permissions including READ_CALENDAR, READ_CALL_LOG, READ_CONTACTS, READ_PHONE_NUMBERS, READ_PHONE_STATE, READ_LOGS, GET_ACCOUNTS, QUERY_ALL_PACKAGES, and WRITE_SECURE_SETTINGS. These permissions grant access to calendar events, call history, contact lists, phone numbers, device logs, and the ability to modify secure system settings — none of which are required to play audio through earbuds. Samsung's Customisation Service confirms it collects contacts, calendar, call/message history, and app usage with no opt-out available.
What they claim: Samsung's privacy policy states it uses data to "provide services" and "develop new products" — framing data collection as service improvement. The policy also states biometric data remains on-device.
What we found: Samsung's own privacy policy acknowledges that sharing personal information for personalized advertising "may be considered a sale of personal information" under state privacy laws. Mozilla's Privacy Not Included rates Samsung Galaxy Buds as "Very Creepy" and confirms Samsung "sells identifiers and online activity of users for cross-context behavioral advertising." Samsung shares data with affiliates, business partners, wireless carriers, ad networks, marketing partners, and data analytics providers. The biometric data claim covers fingerprints and face data but does not explicitly cover heart rate PPG data collected by the Galaxy Buds 3 Pro's health sensor — this data flows to Samsung Health cloud.
What they claim: The Galaxy Buds3 Pro Manager is described as an earbuds management app for "device settings and status view." Samsung justifies permissions as needed for "voice notification function" and "device identification."
What we found: The app requests 36 permissions including DUMP (full system dump access), READ_LOGS (read system log files), WRITE_SECURE_SETTINGS (modify secure system settings), MANAGE_USERS (manage user profiles), INTERACT_ACROSS_USERS (access data across user profiles), KILL_BACKGROUND_PROCESSES, STATUS_BAR_SERVICE, CONTROL_KEYGUARD, DEVICE_POWER, and LOCAL_MAC_ADDRESS. These are system-level permissions that go far beyond managing earbuds — they provide deep device control and surveillance capabilities. The firmware connects to config.samsungads.com (advertising), analytics.samsungknox.com (analytics), and log-config.samsungrs.com (logging configuration), confirming data flows to Samsung's advertising and analytics infrastructure.
What they claim: The FCC filing classifies the Galaxy Buds3 Pro as a "Bluetooth Headset" — a simple audio accessory. Samsung markets them as premium wireless earbuds.
What we found: The firmware reveals the Galaxy Buds3 Pro is actually a multi-sensor biometric monitoring platform: heart rate PPG sensor, bone-conduction sensor, triple high-SNR microphone array per earbud, accelerometer, gyroscope, wearing detection sensor, and AI-powered environmental audio analysis. CVE-2024-58101 (CVSS 8.5 High) demonstrates these sensors can be exploited — attackers can pair without user consent and activate microphone recording covertly. Samsung initially rejected this vulnerability as "working as intended." The FCC filing makes no mention of biometric sensors, health monitoring, or always-on microphone processing capabilities.
What they claim: Samsung's Play Store listing states the Galaxy Buds3 Pro Manager needs Calendar permission for "voice notification function" and Contacts for "voice notification function."
What we found: The app requests READ_CALENDAR, READ_CALL_LOG, READ_CONTACTS, and READ_PHONE_NUMBERS. Samsung's Customisation Service privacy notice reveals these permissions feed data to Samsung's advertising platform: "you may see relevant advertising based on your Samsung Account data and information collected through the Customization Service, including app usage, search terms and/or internet browsing history." Calendar, contacts, and call log data collected under the guise of earbuds notifications is actually used for cross-device advertising profiling. Mozilla confirms Samsung sells user identifiers for cross-context behavioral advertising.
What they claim: The Galaxy Buds3 Pro features Voice Detect and Conversation mode, which Samsung describes as convenience features that "automatically switch" audio modes when you start talking.
What we found: Voice Detect requires continuous microphone processing to detect human speech patterns — functionally equivalent to always-on speech monitoring. The bone conduction sensor provides a secondary voice detection channel. The companion app requests READ_LOGS and DUMP permissions, which could capture processed audio metadata and voice detection events. CVE-2024-58101 proves the microphone can be activated without user consent via unauthorized Bluetooth pairing. Combined with the app's INTERNET permission and connections to Samsung analytics servers, voice detection metadata could be transmitted to Samsung without explicit user awareness.
What they claim: Samsung's Galaxy Wearable Privacy Notice says location data is only collected "with your permission" and the device "notifies you when a feature needs to collect your precise geolocation."
What we found: The firmware connects to endpoints including analytics.samsungknox.com, config.samsungads.com, and log-config.samsungrs.com. The companion app requests ACCESS_WIFI_STATE and CHANGE_WIFI_STATE which can be used for Wi-Fi-based location inference without GPS permission. The Customisation Service privacy notice confirms Samsung collects location via GPS and Wi-Fi with no opt-out for app usage statistics. Combined with wearing detection data (knowing when earbuds are in your ears) and the paired phone's location, Samsung can build a detailed activity timeline without the earbuds themselves having GPS.
What they claim: Samsung markets the Galaxy Buds3 Pro as featuring "360 Audio with head tracking" for immersive spatial audio experiences.
What we found: Head tracking requires continuous accelerometer and gyroscope data from the earbuds, transmitted to the paired phone in real-time. This motion data reveals head orientation, movement patterns, nodding/shaking gestures, and activity type (walking, sitting, exercising). Combined with wearing detection data and phone location, Samsung can infer: when you're commuting (motion patterns), when you're in meetings (stationary + speaking), when you're exercising (high motion), and when you're sleeping (wearing detection off). Neither the FCC filing nor Samsung's marketing materials disclose that head tracking data could be used for behavioural profiling or fed into Samsung's advertising platform.
What they claim: Samsung's privacy policy states data retention is "only for as long as is necessary for the purpose for which it was collected." Samsung presents earbuds as a personal audio device.
What we found: The firmware connects to 12 Samsung server endpoints including shealth.samsung.com (Samsung Health cloud), config.samsungads.com (advertising configuration), and analytics.samsungknox.com (analytics platform). Heart rate PPG data flows to Samsung Health cloud where it is combined with location data to create a geolocated health timeline. Samsung's data privacy framework acknowledges that data may be shared internationally across Samsung subsidiaries. No specific retention period is disclosed for wearable sensor data, meaning Samsung could retain years of heart rate, head movement, and wearing pattern data indefinitely.
What they claim: The Galaxy Buds3 Pro Manager is described as a component app that "does not work alone" — it requires the Galaxy Wearable app to be installed first.
What we found: This two-app requirement means users must install both Galaxy Wearable (71 permissions) and Galaxy Buds3 Pro Manager (36 permissions) to use their earbuds — potentially over 100 unique permissions combined. The Buds Manager alone requests system-level permissions (DUMP, READ_LOGS, WRITE_SECURE_SETTINGS, MANAGE_USERS) that are typically reserved for device manufacturers and system apps. CVE-2022-39893 demonstrated that the previous Galaxy Buds Pro Manager leaked device identifiers through log files — the current app still requests READ_LOGS permission, meaning the same class of vulnerability could persist.
What they claim: Samsung's privacy policy emphasises user choice and consent: promotional content is sent only "where you have given us your separate consent." The Galaxy Wearable Privacy Notice frames data collection as transparent and permission-based.
What we found: The companion app requests QUERY_ALL_PACKAGES (can see every app installed on your phone), GET_ACCOUNTS (access to all accounts on device), and RECEIVE_BOOT_COMPLETED (starts automatically when phone boots). Samsung's Customisation Service admits there is no opt-out for collecting Samsung Health data, calendar events, app usage statistics, or music/photo collection data. Despite claiming consent-based data collection, Samsung's own privacy notices reveal mandatory data collection that cannot be disabled without uninstalling the app entirely.