Thousands of Android apps can bypass permissions and gather enough data to track and identify your phone, according to a new study.
Researchers from the University of Calgary, UC Berkley, and the IMDEA Networks Institute in Spain discovered that apps can circumvent app permissions using covert and side channels.
Side channels allow apps to access protected data without permission; covert channels are used when two apps communicate—one sharing protected data that has been given with permission to another that is lacking those permissions. This data could include MAC addresses, the phone’s IMEI, and more.
The study analyzed over 88,000 apps available via the US Google Play Store, and found that apps from huge companies—including Samsung (Health and Browser) and Disney (the Hong Kong Disneyland park app)—with millions of downloads are affected.
The Samsung and Disney apps use software development kits (SDKs) from Chinese search company Baidu and analytics company Salmonads, which means data can move between apps and between the companies’ servers through the local storage on your phone.
The study also singled out the Shutterfly app, stating that it sends “precise geolocation data to its own server without holding a location permission.” In a comment to CNET, the company denied these claims, saying it only collects location data when it has permission, despite what the researchers discovered.
On the bright side, many of these issues will be fixed with the upcoming Android Q update, but this presents two problems: the first is that not every phone will be updated to Android Q. As of August 2018, just over 10 percent of devices running Android were running Android 9.0 (Pie), with approximately 30 percent running Android Oreo (8.1) and Android Oreo (8.0).
This means privacy and security are at risk of becoming a luxury for those with flagship smartphones, and that Google needs to do more to push customers and companies to update their devices—which, to the company’s credit, it is attempting to do.
Serge Egelman, director of usable security and privacy research at ICSI, will reportedly be sharing the details of the 1,325 apps that have been gathering information without user permission at the Usenix Security conference in August.