Home Cyber Security News Hundreds Of Popular Android Apps Evade App Permissions To Access User Data

Hundreds Of Popular Android Apps Evade App Permissions To Access User Data

by Abeerah Hashim
android apps evade app permissions

While dealing with Android apps, one of the common suggestions from security experts is to review app permissions. It means to double-check the access permissions an app asks at the time of installation. If an app requires accessing any unnecessary data, better deny it. However, a study revealed that denying such permissions is, at times, no good. Many Android apps evade app permissions and access user details regardless.

Android Apps Evade App Permissions

Researchers have highlighted numerous apps in the Google Play Store that pilfer user data even when denied. The team of researchers, following PrivacyCon 2019, has disclosed its findings in a separate research paper, where it explained how various Android apps evade app permissions to steal user data.

The researchers established that the apps can easily circumvent permissions by using side channels and covert channels. Regarding the use of these channels, the researchers explained,

Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions.

In their study, the researchers identified a number of Android applications using these techniques to access user data. While the researchers noticed the apps and SDKs used obfuscation techniques to protect the data transmitted over the network; it also veiled the actual intent behind the collection of such information.

The information shared between the apps this way included personal details, which may be useful for advertisers and app developers. For instance, the apps collected device identifiers like IMEI, Router MAC address, Network MAC address, geolocation, and SD card data.

Full List Of Apps To Come Soon

The researchers downloaded various apps from each category and analyzed the 88,113 most used apps. They found various vulnerabilities with the apps through which they collected and transmitted user data.

The apps predominantly transmitted the information to Chinese Baidu and Salmonads libraries. Around 159 apps had code to access the SD card, whereas 13 apps specifically did it.

42 apps, apart from the 12,408 other apps with the code, shared device MAC address with Unity for unique device identification via ioctl system calls.

As a ‘surrogate’ for location, 5 apps, apart from the 5 others having the relevant code, collected WiFi router MAC addresses through ARP cache.

The researchers also noticed one app, Shutterfly, gathering picture metadata on its servers to obtain geolocation data. The images’ EXIF data having the device’s location could serve the purpose. As stated by the researchers,

The app actually processed the image file: it parsed the EXIF metadata—including location—into a JSON object with labelled latitude and longitude fields and transmitted it to their server.

Researchers have disclosed their findings to Google already. Whereas, they will soon share the full list of 1,325 apps violating user privacy through means.

For now, Google are looking into the matter. Nonetheless, user protection seems confined to the ‘affording’ consumers only – that is – thosenwho can upgrade to the upcoming Android Q.

Let us know your thoughts in the comments.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid