Turns out, even if don't give permission to access your location to a certain Android app or permission to read your device details, the app still may be able to figure out your location or other details about your Android device. In other cases, where the apps simply don't ask for any special permissions, they may still be a collecting a lot more details than you would imagine they have access to. Researchers claims that thousands of Android apps have found ways to skirt Android system permissions to track details that they shouldn't be able to.
According to a study that was recently presented at PrivacyCon 2019 and has also been shared with Google and US FTC (Federal Trade Commission), there are thousands of Android apps that have found ways to gather information like device Mac address, location, phone's IMEI, and more, even if they don't have necessary permissions to access such details.
The research report, which has been published by researchers from UC Berkeley, University of Calgary, and IMDEA Networks Institute, reveals that they tested a total of 88,000 Android apps and found that a number of them use covert and side channels to figure out users' location data and persistent identifiers without explicit permissions.
The researchers discovered that third-party libraries provided by Baidu and Salmonads independently use SD card as a covert channel to store phone' IMEI information, so that it is accessible to other apps that can't. They found 13 apps were exploiting this covert channel to get the IMEI information and 159 apps had the potential to do the same.
Additionally, they found at least one app – Shutterfly - that used picture metadata to access precise information about users' location without having any location permissions. Further, there were apps using MAC addresses of the connected Wi-Fi base stations from the ARP cache (Address Resolution Protocol Cache) as a surrogate for location data. There were 42 apps with Unity SDK obtaining the device MAC address using ioctl system calls and over 12,000 apps with the pertinent code to do so.
“These deceptive practices allow developers to access users' private data without consent, undermining user privacy and giving rise to both legal and ethical concerns,” the researchers write. “Data protection legislation around the world—including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) and consumer protection laws, such as the Federal Trade Commission Act—enforce transparency on the data collection, processing, and sharing practices of mobile applications.”
According to the researchers, Google is addressing a number of issues raised in their research with Android Q. However, these fixes will only be available to the consumers who buy a new phone with Android Q or have phones that are lucky enough to receive the Android Q update. The researchers suggest that Google should treat these privacy issues as serious security vulnerabilities and provide the fixes as a part of the monthly security patches to all the supported versions.