Thousands of Android apps — including those from Samsung and Disney — bypass the OS’s permission system, and gather precise location data and phone identifiers without users’ consent, a study has revealed. Researchers from the International Computer Science Institute (ICSI) discovered around 1,325 apps that gather data even if users explicitly deny them permissions to do so. ICSI’s Serge Egelman had presented the findings of their study at FTC’s PrivacyCon in June. MediaNama has reached out to Google for comment and will update this story once they reply.

“Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it … If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.” — Serge Egelman of ICSI to CNET

What the study revealed

The researchers found that when a user denies, for instance, location permission to one app, it might not be enough. Another app that has the permission can still share bits of users’ personal data with the first app, or store it locally on the phone where even potentially malicious apps could read it. They found that while the two apps might not be directly related in any way, they’re built using the same software development kit (SDK), and thus can “talk” to each other. The researchers designed a “pipeline” to discover vulnerabilities in the Android permission system and tested this pipeline on more than 88,000 apps.

  • Some apps, like Samsung’s Browser and Health apps, and Disney’s Hong Kong Disneyland app, were found to be relying on other apps like China’s Baidu to gather phone identifiers such as the IMEI number. They could do so because they were developed using the same SDK that was built by Chinese search giant Baidu. These apps harvested data from unprotected files saved locally on the SD card of the phone even if they didn’t have those permissions. While there were only 13 apps doing this, the problem is that these apps were downloaded more than 17 million times. The study also noted that 159 apps had the capability of getting this access.
  • Image publishing app Shutterfly was found to be sending actual GPS coordinates back to its servers without getting permission to track locations. It did so by harvesting that data from photos’ EXIF (exchangeable image file format) metadata. The study highlighted that 70 different apps were sending location data to 45 different domains without having any of the location permissions.
  • Other apps were gathering location data by connecting to the Wi-Fi network and obtaining the router’s MAC address. Three of Peel’s smart remote control apps (tv.peel.samsung.app, tv.peel.smartremote, and tv.peel.mobile.app) requested the igd.xml (internet gateway device configuration) file. The router replied with, among other manufacturing details, its MAC address as part of its UUID (universally unique identifier). These apps also sent WiFi MAC addresses to their own servers and a domain hosted by Amazon Web Services.
  • Unity, which is a cross-platform game engine developed by Unity Technologies and heavily used by Android mobile games, was obtaining the device MAC address using ioctl system calls. 42 apps were exploiting this vulnerability and 12,408 apps had the pertinent code to do so. Apart from that, 5 apps were obtaining MAC addresses of the connected WiFi base stations from the ARP cache, and another 5 had the potential to do so.

Egelman told CNET that he had written to Google in September 2018, highlighting the findings of this study, and Google had said that it would address these issues in Android Q, which is expected to release this year. But here is the problem: not all Android devices will get the Android Q update. In fact, barring Google’s own Pixel devices and a few Android One devices, very few other Android phones would get the update this year. Apart from that, certain older phones may not receive the update ever — which means that for several Android users, these security issues may never be fixed.

Other flaws recently found in Android apps

  • In June 2019, a security flaw in the ‘Shot on OnePlus’ app caused OnePlus to leak the email addresses and other personal information of hundred of its users. 9to5Google said it had discovered the “somewhat major” vulnerability in the API OnePlus uses for the app a couple of months ago, and that the company had already fixed it. It said it was unclear for how long users’ data had been leaking in this way, but believed it had been happening since the launch of the ‘Shot on OnePlus’ app many years ago.
  • In May 2019, WhatsApp confirmed that a flaw in its app left it vulnerable to a spyware attack that installed a malicious code on a victim’s smartphone through a simple voice call on WhatsApp. FT, which first reported the breach, said the spyware, was created by the NSO Group, an Israeli software company. In June 2019, its majority owner Novalpina Capital, a UK private equity firm, promised a “significant enhancement of respect for human rights” at NSO Group, per The Guardian.
  • In April 2019, Hacker News reported that two browser apps created by Xiaomi had a critical vulnerability that had not yet been patched despite being privately reported to the company. The Mi Browser comes built-in with the company’s Mi and Redmi smartphones, while the Mint browser is available on Google Play for non-Xiaomi devices. The vulnerability was an address bar spoofing issue that allowed a malicious website to control the URLs displayed. The flaw could be used to easily trick users into thinking they were visiting a trusted website when actually being served with a phishing or malicious content. The issue only affected the international variants of both web browsers. Xiaomi rewarded the researcher who reported the issue with a big bounty but left the vulnerability unpatched.