Researchers have found more than 1,300 apps that can bypass the permission system on Android. The applications can then access, for example, the location data or information stored on the device, even if the user refuses that permission.
Researchers from the International Computer Science Institute examined more than 88,000 apps and managed to eavesdrop on their traffic or reverse engineer what they collected. Of all those apps, they found 1,300 that somehow had the ability to collect certain information from the user, even if they had denied permission to do so. This mainly concerns location data, data on the SD card, and information about the phone such as the imei number.
There is not one method by which this happens, there are several. For example, the photo app Shutterfly managed to collect user location data by extracting the EXIF data from photos, but other apps were able to see the router’s MAC address and SSID via Wi-Fi access and determine its location based on that. The researchers also describe how some apps use ad networks to collect geolocation via googleapis.com.
The researchers say there are two types of ways to get the data. Some apps like Shutterfly have their own methods for finding data such as through the exif data, but there are also applications that are specially made to give data to each other. For example, the researchers describe two apps, one of which has access to location data, but the other does not. The app with access then creates a hidden file on the SD card with coordinates in it. The other app does not have access to location, but it does have access to the SD card, and can thus still retrieve the location data.
It is not known which apps use the methods and how often that happens. In the case of Shutterfly, the researchers admit that the developers probably have no intention of circumventing Google’s permission system, although the app did send information in a json file to its own servers. Also, “this technique can be exploited by attackers.” The researchers want to publish a complete list in August. The researchers also contacted Google. That company says it will come up with ‘a fix’ in Android Q, but it is not entirely clear what the company is going to fix because there are so many different methods.