More than 1,000 Android apps "deceptively" harvest personal data

The apps circumvent Android permissions designed to keep personal data out of the hands of developers

Researchers have discovered more than 1,000 Android apps have the power to share and receive personal information even when the user explicitly forbids the collection of data.

The findings were presented to attendees at PrivacyCon 2019 in the US, and they don't just focus on obscure apps. Indeed, big name firms including Disney and Samsung were cited for releasing apps that flout the privacy conventions users have come to expect.

All of the affected apps share one commonality - they all run on the same software developer kit (SDK). The one in question here is made by Chinese tech giant Baidu with help from an analytics firm called Salmonads.

SDKs are sets of tools given to developers to make building applications easier - like a framework on which to base the project instead of having to code it all from scratch. It's like if all VW Polos, Audi S3s and Ford Focus' were built using the same axel - they're all different but share the same backbone.

Let's imagine there are two apps: App 1 and App 2. Both are built on the same Baidu SDK but the user has revoked permissions for App 1 to collect personal data. The user hasn't revoked App 2's data collection permissions, though. So, because of this, App 1 can still gather data from App 2's collection as they're both built on the same SDK.

In terms of what data has actually been collected, it's a bit of a mixed bag. Device MAC addresses were the most pervasively collected forms of data, but router MAC addresses and device IMEI numbers were also collected. In one particular case, GPS data was also gathered.

The app that collected GPS data is called Shutterfly and has been downloaded more than 138,000 times on the Google Play store at the time of publication. It collected GPS data using EXIF metadata from user images and sent it back to its own servers with no location permission.

"While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user's location," read the study. "Whenever a new picture is taken by the user with geolocation enabled, any app with read access to the photo library can learn the user's precise location when said picture was taken.

"Furthermore, it also allows obtaining historical geolocation fixes with timestamps from the user, which could later be used to infer sensitive information about that user," it added.

In reference to the apps acquiring MAC address information, the researchers said Android natively protects access device and router MAC addresses with separate permissions. Regardless, they still observed apps accessing the addresses without having the permissions.

The apps gained access to the addresses with side-channels, using C++ native code to invoke a number of unguarded UNIX system calls. These methods were referred to as "deceptive" which could mislead even the most diligent user.

The US' Federal Trade Commission (FTC) has fined mobile operators and third-party libraries for exploiting side-channels and using MAC addresses to infer a user's location.

The researchers said that with the next version of the mobile operating system Android Q which is currently in beta, some of the issues outlined by their findings will be fixed, but that might not be good enough.

Android OS updates are not mandatory and many users, according to statistics, aren't very diligent when it comes to upgrading to the latest version - just 10.4% of Android users are on the latest Android 9 Pie installation, for example. 

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021