A US National Security Agency-supported study has found that more than 1,000 Android apps gather user data even when the user explicitly refuses consent.
A group of researchers from the International Computer Science Institute (ICSI) developed a technique for identifying vulnerabilities in the Android ‘permissions’ system, which controls which categories of user data can be accessed by different apps. The researchers tested the 88,113 most popular apps on Google’s Play Store, representing most of the apps that people use.
The researchers found that 1,325 of these apps were collecting data, including IMEI number and location data, against the users’ explicit wishes.
In some of these cases, the apps were able to collect this data through another app which has been granted permission to collect that data. This can be achieved even if the two apps are not directly related if they have been built using the same software development kit (SDK), which effectively allows them to ‘talk’ to each other and exchange information.
Eight apps, including ones developed by Disney (Hong Kong Disneyland and Shanghai Disney Resort apps) and Samsung (Browser and Health apps) were found to be using this technique via Baidu apps to collect IMEI number. While only 13 apps were found which used this covert channel (with a further 159 having the ability to get this access), the apps had been downloaded more than 17 million times.
Image publishing app Shutterfly was found to be sending precise GPS coordinates back to its servers without permission. It was able to access this information by harvesting the data from photograph metadata. Shutterfly was one of 70 apps sending location data to 45 different destinations without permission. Other apps – including three Peel smart remote control apps – were able to gather location data by connecting to a local Wi-Fi network and obtaining the router’s MAC address (which is used to send data inside a local network to the correct devices). More than 12,000 other apps had the ability to use this channel to acquire data covertly.
“By circumventing the permissions system, apps are able to exfiltrate data to their own servers and even third parties in ways that are likely to defy users’ expectations (and societal norms), particularly if it occurs after having just denied an app’s explicit permission request,” the authors wrote in their paper (PDF).
“Thus, the behaviours that we document in this paper constitute clear privacy violations. From a legal and policy perspective, these practices are likely to be considered deceptive or otherwise unlawful.”
The findings were presented at the US Federal Trade Commission (FTC)’s PrivacyCon at the end of June. They have been disclosed to both the FTC and Google, from which they received a bug bounty. Google has stated that it will address these issues in its major upcoming software update, Android Q, which is expected to arrive later this year.
A Vanderbilt University study published last year found that Android smartphones may be collecting almost ten times more user data than Apple iOS handsets.