Article image Over a thousand Android apps collecting data without permission

Ruben Fields
July 9, 2019

The researchers said they'd notified Google about the vulnerabilities in September previous year.

Researchers have found more than 1,000 Android apps that skirt around data protection restrictions that "protect" consumer privacy, collecting data even when users deny permission to the app to access their information.

This is made possible by the fact that many apps are build using the same software development kits (SDK); the owners of these kits are also receiving this data, allegedly. Researchers have now proved that apps are stealing your private data even after you deny permissions. These researchers found up to 1,325 Android apps remained unaffected even after the denial of the permissions.

ICC convicts Congo's Ntaganda of war crimes
Ntaganda surrendered on the United States embassy in within the Democratic Republic of Congo in 2013. The M23 riot neighborhood used to be at final defeated by Congolese authorities forces in 2013.

"Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it". Of these, they found 1,325 apps that violated the permission policy and relied on workarounds to retrieve user data without their knowledge. If a user let one app access data on an SD card, for example, another app without that permission could still read its contents. While the report says that only 13 Android apps used this technique to steal personal data, these apps were installed over 17 million times and include Baidu's Hong Kong Disneyland park app. 153 apps are capable of doing this including Samsung's Health and Browser apps, which are installed on over 500 million devices. The study finds that several apps circumvent the permission settings and are able to gain access to protected data by exploiting both covert and side channels. These apps obtain the MAC number that can identify the network adapter in Wi-Fi devices.

The study looked at over 88,000 apps on Google Play and tracked how data was transferred from the app when a user denied permissions. In a statement to CNET, Shutterfly said regardless of what the researchers found it only collects Global Positioning System data on those that give it permission.

These adverts are only available in some applications on certain operating system builds at the moment, and they do not seem to work as intended on Android Q, with the Share menu displaying the name of the current app instead of the one Microsoft is attempting to advertise.

Other reports by

Discuss This Article