You might think that you’re keeping your personal data private by not granting certain permissions to apps when you first use them. However, researches discovered (via CNET) more than 1,000 Android apps that found ways to get around denied permissions allowing them to access location data and other personal user information. The International Computer Science Institute (ICSI) says that it found as many as 1,325 apps in the Google Play Store that collected this data from users who had denied them permission from doing so. The study was presented at PrivacyCon, hosted last month by the Federal Trade Commission (FTC).
The study took a look at 88,000 Android apps and investigated how they handled data when permissions were denied. What the study discovered was that as many as 1,325 apps had code written to take location data from metadata stored in photos and from Wi-Fi connections. Serge Egelman, director of usable security and privacy research at the ICSI, presented the data at the conference and said that Google was notified about this last September. The company said that it would address this issue with the release of Android Q, expected out later this quarter. Google will hide location information in photos from apps. It also will require apps that work with Wi-Fi to get permission to receive location data.
“Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it. If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.”-Serge Egelman, director of usable security and privacy research, ICSI
Other apps scoop up personal information from other apps that have received permission to obtain it. The apps denied permission access the personal information from unprotected files on an SD card where it is stored by another app granted permission to collect it. While the report says that only 13 Android apps used this technique to steal personal data, these apps were installed over 17 million times and include Baidu’s Hong Kong Disneyland park app. 153 apps are capable of doing this including Samsung’s Health and Browser apps, which are installed on over 500 million devices. Among the personal data that can be stolen with this method is a handset’s unique IMEI number. Other apps connect to a user’s Wi-Fi network to steal location data. These apps obtain the MAC number that can identify the network adapter in Wi-Fi devices. The report notes that apps used as smart remote controls often do this even though there is no legitimate reason for them to have a user’s location data.
The names of the 1,325 Android apps that steal personal data will be made public next month
As an example of how these workarounds are used in real life, the report noted that image publishing app Shutterfly took GPS coordinates from photos and sent that data to its servers even if the user didn’t grant the app permission to obtain his location data. A spokeswoman for the app denied this and said that it collects location data only with a user’s permission.
Egelman says that he will reveal the names of the 1,325 Android apps that collected personal data without permission. This will happen next month when he presents the report again, this time at the Usenix Security conference.