Thousands of Android apps — including those from Samsung and Disney — bypass the OS’s permission system, and gather precise location data and phone identifiers without users’ consent, a study has revealed. Researchers from the International Computer Science Institute (ICSI) discovered around 1,325 apps that gather data even if users explicitly deny them permissions to do so. ICSI’s Serge Egelman had presented the findings of their study at FTC’s PrivacyCon in June. MediaNama has reached out to Google for comment and will update this story once they reply. "Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it … If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.” — Serge Egelman of ICSI to CNET What the study revealed The researchers found that when a user denies, for instance, location permission to one app, it might not be enough. Another app that has the permission can still share bits of users' personal data with the first app, or store it locally on the phone where even potentially malicious apps could read it. They found that while the two apps might not be directly related in any way, they’re built using the same software development kit (SDK), and thus can "talk" to each other. The researchers designed a “pipeline” to discover vulnerabilities in the Android permission system and tested this pipeline on more than 88,000 apps. Some apps, like Samsung's Browser and…
