HomeMobileCell PhonesThousands of Android Apps Will Track Your Phone, Regardless of Permissions Settings

    Thousands of Android Apps Will Track Your Phone, Regardless of Permissions Settings

    Even when you explicitly deny permissions to an Android app to track your phone, some might still be able to do it. Researchers found out that thousands of Apps have ways to cheat Android’s permissions system, collecting not only your device’s unique identifier, but also data to potentially reveal your location.

    Even when configuring the permissions settings for an App, a second app that has those permissions approved can share personal bits of data with the first one or leave them in a shared folder that other Apps – potentially even malicious ones – can read. Researchers also found out that if both Apps were built using the same software development kits (SDK), they would be able to access the same data, and there’s even evidence that the SDK owners are receiving it. Despite two Apps not looking related, your personal data can go just about anywhere.

    A study presented at PrivacyCon 2019 showed that Apps from companies like Samsung and Disney have been downloaded hundreds of millions of times. These Apps use SDKs built by Chinese multinational technology company Baidu and an analytics firm called Salmonads, and after storing your personal data locally on your phone, that data can pass from one app to another. Lastly, it’s important to note that researchers noticed that some Apps using the Baidu SDK might quietly obtain that same data for their own use.

    Additionally, the team found other side channel vulnerabilities, such as sending home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and even more. Research Director of the Usable Security and Privacy Group at ICSI (International Computer Science Institute) Serge Egelman said “It’s pretty well-known now that’s a pretty good surrogate for location data,” while presenting the study at PrivacyCon 2019. The study revealed that by harvesting personal data from your photos’ EXIF metadata photo app Shutterfly sends actual GPS coordinates back to its servers without permission to track locations. Dishonestly, the company denied gathering any data without permission.

    After notifying Google about the vulnerabilities last September, researchers said that there will be upcoming fixes for some of these issues in Android Q. But this won’t help the current-generation Android phones that won’t get the Android Q update. According to statistics, since May only 10.4 percent of Android devices had the latest Android P installed, and over 60 percent were still running on Android N, which is nearly three years old.

    The researchers hope that Google has a bigger plan, like releasing hotfixes within security updates, since personal data protection shouldn’t be available for newer phone buyers only. Egelman shared his thoughts on the subject, saying “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here.”

    Google didn’t comment about the specific vulnerabilities, but the company confirmed that Android Q will hide geolocation info from photo Apps by default. The company also assured that it will now require photo Apps to reveal to the Play Store if they’re capable of accessing location metadata.

    David Novak
    David Novak
    For the last 20 years, David Novak has appeared in newspapers, magazines, radio, and TV around the world, reviewing the latest in consumer technology. His byline has appeared in Popular Science, PC Magazine, USA Today, The Wall Street Journal, Electronic House Magazine, GQ, Men’s Journal, National Geographic, Newsweek, Popular Mechanics, Forbes Technology, Readers Digest, Cosmopolitan Magazine, Glamour Magazine, T3 Technology Magazine, Stuff Magazine, Maxim Magazine, Wired Magazine, Laptop Magazine, Indianapolis Monthly, Indiana Business Journal, Better Homes and Garden, CNET, Engadget, InfoWorld, Information Week, Yahoo Technology and Mobile Magazine. He has also made radio appearances on the The Mark Levin Radio Show, The Laura Ingraham Talk Show, Bob & Tom Show, and the Paul Harvey RadioShow. He’s also made TV appearances on The Today Show and The CBS Morning Show. His nationally syndicated newspaper column called the GadgetGUY, appears in over 100 newspapers around the world each week, where Novak enjoys over 3 million in readership. David is also a contributing writer fro Men’s Journal, GQ, Popular Mechanics, T3 Magazine and Electronic House here in the U.S.

    Must Read