Even if you deny Android app permissions, thousands of Android apps can track your phone. Read on to know more…
During installation of apps on Android smartphones, if you have clicked “No, you don’t have permission to track my phone,” you probably thought that the app won’t track your data. Actually, researchers have found that thousands of Android apps have found a way to cheat Android’s permission system, gathering your contact list as well as your location without your permission.
The Ground Reality
Even if you tap “NO” to an app asking your permission to gain access to your data, it is nothing but a scam like the other apps having permission to your data will be indirectly sharing all the data with the other apps in your smartphone. App with permissions stores all the app data in your smartphone’s local storage, though with other apps, including a malicious one can read your data and gain access to it.
At PrivacyCon 2019, a study was presented which suggested that Disney and Samsung apps have been downloaded millions of times by users all around the world. Samsung and Dinsey use Chinese search engine Baidu‘s SDKs and Salmonads analytics which can pass your data through the app with permission to apps without having any permission. Researchers have claimed that some developers are acquiring the data through Baidu SDK.
It is also explained research director of the Usable Security and Privacy Group, Serge Egelman, at ICSI, that this way apps can even send MAC addresses of your networking router and chip and wireless access point and its password somehow to the developer. Another Android app Shutterfly was caught sending GPS coordinates back to its located servers containing all the EXIF data even after millions denied the permission to send GPS coordinates or EXIF to the company.
In addition to a number of side channel vulnerabilities the team has found, some of which you can get the unique MAC addresses of your network chipset and router, wireless access point, its SSID, and more send home. “It’s now fairly well-known that this is a pretty good substitute for location data,” said Serge Egelman, research director of the Working Group on Security and Privacy at the International Computer Science Institute (ICSI), at the launch of the study at PrivacyCon.
According to researchers who informed Google about the vulnerabilities last September, some of these issues are addressed in Android Q. However, this may not help the many Android phones of the current generation that do not receive the Android Q update. By May, only 10.4 percent of Android devices had the latest Android P installed, and over 60 percent were still running on the nearly three-year-old Android N.
Researchers say Google may do more In the meantime, hotfixes are being introduced in security updates, as not only newer phone shoppers should be protected. “Google publicly claims that privacy should not be a luxury, but that seems to be exactly what happens here,” said Egelman.
Google declined to comment on the specific vulnerabilities, but acknowledged ‘The Verge’ that Android Q will hide geolocation information by default from photo apps, and that photo apps must tell the Play Store whether they exist can access location metadata.