More than 1,000 Android apps "deceptively" harvest personal data

The apps circumvent Android permissions designed to keep personal data out of the hands of developers

android figure

Researchers have discovered more than 1,000 Android apps have the power to share and receive personal information even when the user explicitly forbids the collection of data.

The findings were presented to attendees at PrivacyCon 2019 in the US, and they don't just focus on obscure apps. Indeed, big name firms including Disney and Samsung were cited for releasing apps that flout the privacy conventions users have come to expect.

All of the affected apps share one commonality - they all run on the same software developer kit (SDK). The one in question here is made by Chinese tech giant Baidu with help from an analytics firm called Salmonads.

SDKs are sets of tools given to developers to make building applications easier - like a framework on which to base the project instead of having to code it all from scratch. It's like if all VW Polos, Audi S3s and Ford Focus' were built using the same axel - they're all different but share the same backbone.

Let's imagine there are two apps: App 1 and App 2. Both are built on the same Baidu SDK but the user has revoked permissions for App 1 to collect personal data. The user hasn't revoked App 2's data collection permissions, though. So, because of this, App 1 can still gather data from App 2's collection as they're both built on the same SDK.

In terms of what data has actually been collected, it's a bit of a mixed bag. Device MAC addresses were the most pervasively collected forms of data, but router MAC addresses and device IMEI numbers were also collected. In one particular case, GPS data was also gathered.

The app that collected GPS data is called Shutterfly and has been downloaded more than 138,000 times on the Google Play store at the time of publication. It collected GPS data using EXIF metadata from user images and sent it back to its own servers with no location permission.

"While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user's location," read the study. "Whenever a new picture is taken by the user with geolocation enabled, any app with read access to the photo library can learn the user's precise location when said picture was taken.

"Furthermore, it also allows obtaining historical geolocation fixes with timestamps from the user, which could later be used to infer sensitive information about that user," it added.

In reference to the apps acquiring MAC address information, the researchers said Android natively protects access device and router MAC addresses with separate permissions. Regardless, they still observed apps accessing the addresses without having the permissions.

The apps gained access to the addresses with side-channels, using C++ native code to invoke a number of unguarded UNIX system calls. These methods were referred to as "deceptive" which could mislead even the most diligent user.

The US' Federal Trade Commission (FTC) has fined mobile operators and third-party libraries for exploiting side-channels and using MAC addresses to infer a user's location.

The researchers said that with the next version of the mobile operating system Android Q which is currently in beta, some of the issues outlined by their findings will be fixed, but that might not be good enough.

Android OS updates are not mandatory and many users, according to statistics, aren't very diligent when it comes to upgrading to the latest version - just 10.4% of Android users are on the latest Android 9 Pie installation, for example. 

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020
Amazon sacks employee over data breach
Security

Amazon sacks employee over data breach

27 Oct 2020
Zoom starts rolling out end-to-end encryption for all users
Security

Zoom starts rolling out end-to-end encryption for all users

27 Oct 2020
Insider data breaches set to increase due to remote work shift
data breaches

Insider data breaches set to increase due to remote work shift

26 Oct 2020

Most Popular

How Liberty navigated a site relaunch during a pandemic
Sponsored

How Liberty navigated a site relaunch during a pandemic

8 Oct 2020
Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020