Thousands of Android apps harvest data without permission
Researchers from International Computer Science Institute have found that apps are able to bypass permissions and obtain user data from other apps and GPS coordinates.
BERKELEY, CALIFORNIA — A joint report from the International Computer Science Institute and AppCensus, a company that examines how much data an app is collecting from a user, has found that 1,325 Android apps are able to gather location data and unique device identifiers — such as the IMEI of a device — even if users haven't given the apps permission to do so.
Their findings were presented at the Federal Trade Commissions' PrivacyCon at the end of last month.
A total of 70 apps including Shutterfly, a photo-editing app, were found gathering geolocation data through images taken by users and sending the data to their own servers. The apps were able to bypass Android permissions and gather user data through Wi-Fi connection and by accessing the metadata stored in photos.
Thirteen other Android apps, including Baidu's Hong Kong Disneyland park app, were found looking through hidden files stored in the SD card folder. The apps were able to access data they didn't have permission for because it was stored in the files.
Researchers added that 153 additional apps, including Samsung's Health and Browser apps, also have this ability.
The report noted that three smart remote control apps were harvesting location data by connecting to a user's Wi-Fi network and by accessing the router's MAC address.
Google told CNet it will be addressing these issues in its software update, Android Q.
Serge Egelman, research director of Usable Security & Privacy at the Institute, said at the FTC conference that consumers have few tools they can use to control and make decisions about their privacy.
He said, "If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless."
The study looked at more than 88,000 Android apps from the Google Play store.
According to CNet, Egelman will be releasing details and a list of the 1,325 Android apps in August, when he presents the study at the Usenix Security conference.
NEXT ON TOMONEWS
Louisiana man arrested in copycat Blue Bell ice cream licking video