Permissions on Android apps can be turned on, turned off, or operated with restrictions. But even when the permissions settings on some apps have been deactivated, some apps have been getting around this and they have continued to collect data. A new finding shows how over 1,000 apps (1,325 in total) have avoided restrictions and have been collecting specific geolocation data together with smartphone identifiers. without device users being aware.
This discovery comes from a consortium of researchers (under the auspice of the non-profit International Computer Science Institute) who have put together a white paper tiled “50 Ways to LeakYour Data: An Exploration of Apps’ Circumvention of the Android Permissions System”.” The study finds that several apps circumvent the permission settings and are able to gain access to protected data by exploiting both covert and side channels.
With these two mechanisms, side channels present in the implementation of the permission system enable apps to access protected data together with system resources without requiring permission. With covert channels, this approach allows communication to take place between two colluding apps so that one app can share its permission protected data with another app which does not have permission enabled.
Speaking with CNet, one of the researchers, Serge Egelman, states: “Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it. If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.” The researcher has flagged the error with Google, hoping that improvements with Google’s operating system will prevent future apps from exploiting the same loopholes.
The same group of researchers have also found that thousands of Android apps are collecting identifying information which leaves a permanent record of the activity on a device. Such data is often used to target users for advertising. This happens when apps track a user by linking someone’s Advertising ID with other identifiers on a device that are difficult to change.