Even when you explicitly deny permissions to an Android app to track your phone, some might still be able to do it. Researchers found out that thousands of Apps have ways to cheat Android’s permissions system, collecting not only your device’s unique identifier, but also data to potentially reveal your location.
Even when configuring the permissions settings for an App, a second app that has those permissions approved can share personal bits of data with the first one or leave them in a shared folder that other Apps – potentially even malicious ones – can read. Researchers also found out that if both Apps were built using the same software development kits (SDK), they would be able to access the same data, and there’s even evidence that the SDK owners are receiving it. Despite two Apps not looking related, your personal data can go just about anywhere.
A study presented at PrivacyCon 2019 showed that Apps from companies like Samsung and Disney have been downloaded hundreds of millions of times. These Apps use SDKs built by Chinese multinational technology company Baidu and an analytics firm called Salmonads, and after storing your personal data locally on your phone, that data can pass from one app to another. Lastly, it’s important to note that researchers noticed that some Apps using the Baidu SDK might quietly obtain that same data for their own use.
Additionally, the team found other side channel vulnerabilities, such as sending home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and even more. Research Director of the Usable Security and Privacy Group at ICSI (International Computer Science Institute) Serge Egelman said “It’s pretty well-known now that’s a pretty good surrogate for location data,” while presenting the study at PrivacyCon 2019. The study revealed that by harvesting personal data from your photos’ EXIF metadata photo app Shutterfly sends actual GPS coordinates back to its servers without permission to track locations. Dishonestly, the company denied gathering any data without permission.
After notifying Google about the vulnerabilities last September, researchers said that there will be upcoming fixes for some of these issues in Android Q. But this won’t help the current-generation Android phones that won’t get the Android Q update. According to statistics, since May only 10.4 percent of Android devices had the latest Android P installed, and over 60 percent were still running on Android N, which is nearly three years old.
The researchers hope that Google has a bigger plan, like releasing hotfixes within security updates, since personal data protection shouldn’t be available for newer phone buyers only. Egelman shared his thoughts on the subject, saying “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here.”
Google didn’t comment about the specific vulnerabilities, but the company confirmed that Android Q will hide geolocation info from photo Apps by default. The company also assured that it will now require photo Apps to reveal to the Play Store if they’re capable of accessing location metadata.