Published: Wed, July 10, 2019
Tech | By Anita Cain

More than 1K Android apps harvest data even after you deny permissions

More than 1K Android apps harvest data even after you deny permissions

Turns out, even if don't give permission to access your location to a certain Android app or permission to read your device details, the app still may be able to figure out your location or other details about your Android device.

The researchers also found apps acquiring the Router MAC address without permission, allowing developers to link multiple devices that share the same network.

"But in any case, it will be up to the FTC and Google whether these apps violate the "notice and consent" doctrine required of apps in the U.S. - that they notify users that they'd like to harvest data and require consent before doing so".

The study was presented at PrivacyCon, hosted last month by the Federal Trade Commission (FTC).

On Android, an application must ask the user for permission to access certain data such as location, call log or internal storage. The apps denied permission access the personal information from unprotected files on an SD card where it is stored by another app granted permission to collect it.

So when we have denied the various apps access to our personal data, the apps will somehow still access our data. They peeked at what data the apps were sending back, compared it to what users were permitting and - surprise - 1,325 apps were forking over specific user data they shouldn't have.

Of course, the report's scope only includes 88,000 apps - more could be violating permissions without user notice. Shutterfly takes the opportunity to walk through the metadata of the photos and therefore it transfer locations on its servers. There are some pretty popular apps on the list, too - including the Shutterfly app. Baidu was also collecting data through its mapping service - meaning that apps like the Hong Kong Disneyland app, which use Baidu's mapping service, have been collecting data without permission.

Google said it plans to fix numerous personal data leaks with the upcoming release of its Android Q operating system. The report notes that apps used as smart remote controls often do this even though there is no legitimate reason for them to have a user's location data. As long as you set your app permissions and security settings correctly, there shouldn't really be an issue, right?

"The number of potential users impacted by these findings is in the hundreds of millions", the researchers said, urging regulators and platform providers to adopt better tools to monitor the behavior of the apps.

Like this: