Thousands of Android apps are extracting your data

It’s no secret that Android apps, and mobile apps, in general, are looking to get user’s data. But do that against the knowledge of users is a violation of privacy. And that’s exactly what around thousands of apps are doing, even after you explicitly deny your permission.

Unfortunately, this issue will not get fixed until the upcoming final release of Android Q which is expected to be later this year. It is important to note that there are checks in place that prevent apps from accessing records of data whose permissions are denied. However, some apps manage to circumvent these boundaries and still gain access to the data. Kind of like hacking.

Research by the ICSI

This was revealed by a research that was conducted by the International Computer Science Institute in June. The researchers did an extensive survey of more than 88,000 apps on the Play Store. They found that 1,325 of those apps were using some roundabout way to get user’s data.

While most of these apps claim to do this ‘for the user’s own good’, personal data is still being used without consent. For instance, take Shutterfly. It is a photo app that lets users take their photos and put it into products such as a mug, a phone case or a simple print. Researchers found that the app is using the GPS coordinates found in the photos’ description, and sending them to their servers. All this, when the user had explicitly, denied location permission.

The Institute sent a complaint to Google and was assured that the issue will be fixed in the upcoming Android Q. Perhaps Android Q will offer better privacy features than the Android Pie. Serge Egelman, the director at the Internation Computer Science Institute said:

Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it.

On the other hand, a spokesperson from the Shutterfly company contradicted the researchers:

Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement.

According to the researchers, the problem is that the file system is often left unprotected for the apps to use. With this vulnerability, apps can be creative with how to obtain a user’s data. One thing the researchers highlighted was how the MAC address of the WiFi network can be used to obtain location data.

Moreover, some apps are even capable of gaining access to a phone’s IMEI – International Mobile Equipment Identity. As a result, perpetrators can have persistent tracking of the user. Once the IMEI is obtained, it is copied as an encoded file in the phone’s SD, where it can be secretly accessed by other apps.

What to do?

Presently only a handful of solutions exist. One is to simply wait for the Android Q. However, as Egelman pointed out that a “vast majority of Android users have older devices and won’t be getting over-the-air updates that patch this vulnerability.”

Another solution is to look out for these 1,325 apps and stay away from them. The database of all these apps is compiled as part of the research as the AppCensus platform. Finally, you could just not install any app at all and simply use its website as an alternative.