More than 1,000 Android apps "deceptively" harvest personal data

The apps circumvent Android permissions designed to keep personal data out of the hands of developers

android figure

Researchers have discovered more than 1,000 Android apps have the power to share and receive personal information even when the user explicitly forbids the collection of data.

The findings were presented to attendees at PrivacyCon 2019 in the US, and they don't just focus on obscure apps. Indeed, big name firms including Disney and Samsung were cited for releasing apps that flout the privacy conventions users have come to expect.

All of the affected apps share one commonality - they all run on the same software developer kit (SDK). The one in question here is made by Chinese tech giant Baidu with help from an analytics firm called Salmonads.

SDKs are sets of tools given to developers to make building applications easier - like a framework on which to base the project instead of having to code it all from scratch. It's like if all VW Polos, Audi S3s and Ford Focus' were built using the same axel - they're all different but share the same backbone.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Let's imagine there are two apps: App 1 and App 2. Both are built on the same Baidu SDK but the user has revoked permissions for App 1 to collect personal data. The user hasn't revoked App 2's data collection permissions, though. So, because of this, App 1 can still gather data from App 2's collection as they're both built on the same SDK.

In terms of what data has actually been collected, it's a bit of a mixed bag. Device MAC addresses were the most pervasively collected forms of data, but router MAC addresses and device IMEI numbers were also collected. In one particular case, GPS data was also gathered.

The app that collected GPS data is called Shutterfly and has been downloaded more than 138,000 times on the Google Play store at the time of publication. It collected GPS data using EXIF metadata from user images and sent it back to its own servers with no location permission.

"While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user's location," read the study. "Whenever a new picture is taken by the user with geolocation enabled, any app with read access to the photo library can learn the user's precise location when said picture was taken.

"Furthermore, it also allows obtaining historical geolocation fixes with timestamps from the user, which could later be used to infer sensitive information about that user," it added.

In reference to the apps acquiring MAC address information, the researchers said Android natively protects access device and router MAC addresses with separate permissions. Regardless, they still observed apps accessing the addresses without having the permissions.

Advertisement - Article continues below

The apps gained access to the addresses with side-channels, using C++ native code to invoke a number of unguarded UNIX system calls. These methods were referred to as "deceptive" which could mislead even the most diligent user.

The US' Federal Trade Commission (FTC) has fined mobile operators and third-party libraries for exploiting side-channels and using MAC addresses to infer a user's location.

The researchers said that with the next version of the mobile operating system Android Q which is currently in beta, some of the issues outlined by their findings will be fixed, but that might not be good enough.

Android OS updates are not mandatory and many users, according to statistics, aren't very diligent when it comes to upgrading to the latest version - just 10.4% of Android users are on the latest Android 9 Pie installation, for example. 

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019