Researchers have found more than 1,000 Android apps that skirt around data protection restrictions that ‘protect’ consumer privacy, collecting data even when users deny permission to the app to access their information.
The study’s sample contained some 88,000 apps from the Google Play store. Researchers then investigated their data transfer process after the user denied them permission to access data. They found that 1,325 of them used workarounds to circumvent the denial, in order to collect data from sources across the phone’s software.
In the case of Android apps, researchers at the International Computer Science Institute found at least 1,300 apps from a pool of 88,000 studied that have no less than 50 ways to circumvent what you didn’t consent to on the Permissions screen. They span the entire range of categories, and even popular third-party SDKs and libraries were examined, only to find them littered with code that can be used for storing personal user data.
One of the apps mentioned by name was Shutterfly, which is used for editing photos. The study found that it gathers GPS coordinates of where photos were taken and then sends the information to its own servers, regardless of whether users allowed or declined the app permission to access their location.
“Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement,” a Shutterfly spokesperson said in a statement responding to the study.
The findings were presented at the Usenix Security Conference and highlight two common ways in which Play Store apps circumvent access restrictions. The first has to do with Android and third-party SDK vulnerabilities, such as with Unity which somehow allows dozens of apps to store unique identifiers for your mobile device.
The second one is called “covert channels,” which is short speak for apps that have a clever or unorthodox way to share user information with apps that don’t have the same permissions. For example, third-party libraries from Chinese companies Baidu and Salmonads use the SD card to store sensitive information that can then get passed to apps that shouldn’t technically have access to it. Mind you, there are 153 such apps that are installed on over 500 million devices.
Google rewarded the researchers for the findings and has promised to address the issues in Android Q, which is supposed to have a focus on privacy.
In any case, the company has an even bigger responsibility on its hands that it can’t ignore, as malicious apps can dwell in the Trending section of the Play Store long enough to affect hundreds of thousands of users.
When it comes to protecting our personal data, few of us take the time to address how much of it is gobbled up by tech companies, even though there are just a few simple steps that can help you do just that and they cost nothing at all.
