While dealing with Android apps, one of the common suggestions from security experts is to review app permissions. It means to double-check the access permissions an app asks at the time of installation. If an app requires accessing any unnecessary data, better deny it. However, a study revealed that denying such permissions is, at times, no good. Many Android apps evade app permissions and access user details regardless.
Android Apps Evade App Permissions
Researchers have highlighted numerous apps in the Google Play Store that pilfer user data even when denied. The team of researchers, following PrivacyCon 2019, has disclosed its findings in a separate research paper, where it explained how various Android apps evade app permissions to steal user data.
The researchers established that the apps can easily circumvent permissions by using side channels and covert channels. Regarding the use of these channels, the researchers explained,
Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions.
In their study, the researchers identified a number of Android applications using these techniques to access user data. While the researchers noticed the apps and SDKs used obfuscation techniques to protect the data transmitted over the network; it also veiled the actual intent behind the collection of such information.
The information shared between the apps this way included personal details, which may be useful for advertisers and app developers. For instance, the apps collected device identifiers like IMEI, Router MAC address, Network MAC address, geolocation, and SD card data.
Full List Of Apps To Come Soon
The researchers downloaded various apps from each category and analyzed the 88,113 most used apps. They found various vulnerabilities with the apps through which they collected and transmitted user data.
The apps predominantly transmitted the information to Chinese Baidu and Salmonads libraries. Around 159 apps had code to access the SD card, whereas 13 apps specifically did it.
42 apps, apart from the 12,408 other apps with the code, shared device MAC address with Unity for unique device identification via ioctl system calls.
As a ‘surrogate’ for location, 5 apps, apart from the 5 others having the relevant code, collected WiFi router MAC addresses through ARP cache.
The researchers also noticed one app, Shutterfly, gathering picture metadata on its servers to obtain geolocation data. The images’ EXIF data having the device’s location could serve the purpose. As stated by the researchers,
The app actually processed the image file: it parsed the EXIF metadata—including location—into a JSON object with labelled latitude and longitude fields and transmitted it to their server.
Researchers have disclosed their findings to Google already. Whereas, they will soon share the full list of 1,325 apps violating user privacy through means.
For now, Google are looking into the matter. Nonetheless, user protection seems confined to the ‘affording’ consumers only – that is – thosenwho can upgrade to the upcoming Android Q.
Let us know your thoughts in the comments.