More than 1,000 Android apps "deceptively" harvest personal data

The apps circumvent Android permissions designed to keep personal data out of the hands of developers

android figure

Researchers have discovered more than 1,000 Android apps have the power to share and receive personal information even when the user explicitly forbids the collection of data.

The findings were presented to attendees at PrivacyCon 2019 in the US, and they don't just focus on obscure apps. Indeed, big name firms including Disney and Samsung were cited for releasing apps that flout the privacy conventions users have come to expect.

Advertisement - Article continues below

All of the affected apps share one commonality - they all run on the same software developer kit (SDK). The one in question here is made by Chinese tech giant Baidu with help from an analytics firm called Salmonads.

SDKs are sets of tools given to developers to make building applications easier - like a framework on which to base the project instead of having to code it all from scratch. It's like if all VW Polos, Audi S3s and Ford Focus' were built using the same axel - they're all different but share the same backbone.

Let's imagine there are two apps: App 1 and App 2. Both are built on the same Baidu SDK but the user has revoked permissions for App 1 to collect personal data. The user hasn't revoked App 2's data collection permissions, though. So, because of this, App 1 can still gather data from App 2's collection as they're both built on the same SDK.

Advertisement - Article continues below
Advertisement - Article continues below

In terms of what data has actually been collected, it's a bit of a mixed bag. Device MAC addresses were the most pervasively collected forms of data, but router MAC addresses and device IMEI numbers were also collected. In one particular case, GPS data was also gathered.

The app that collected GPS data is called Shutterfly and has been downloaded more than 138,000 times on the Google Play store at the time of publication. It collected GPS data using EXIF metadata from user images and sent it back to its own servers with no location permission.

"While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user's location," read the study. "Whenever a new picture is taken by the user with geolocation enabled, any app with read access to the photo library can learn the user's precise location when said picture was taken.

Advertisement - Article continues below

"Furthermore, it also allows obtaining historical geolocation fixes with timestamps from the user, which could later be used to infer sensitive information about that user," it added.

In reference to the apps acquiring MAC address information, the researchers said Android natively protects access device and router MAC addresses with separate permissions. Regardless, they still observed apps accessing the addresses without having the permissions.

The apps gained access to the addresses with side-channels, using C++ native code to invoke a number of unguarded UNIX system calls. These methods were referred to as "deceptive" which could mislead even the most diligent user.

The US' Federal Trade Commission (FTC) has fined mobile operators and third-party libraries for exploiting side-channels and using MAC addresses to infer a user's location.

The researchers said that with the next version of the mobile operating system Android Q which is currently in beta, some of the issues outlined by their findings will be fixed, but that might not be good enough.

Android OS updates are not mandatory and many users, according to statistics, aren't very diligent when it comes to upgrading to the latest version - just 10.4% of Android users are on the latest Android 9 Pie installation, for example. 

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020