When you explicitly tell an Android app, “No, you dont have permission to track my phone,” you probably expect that it wont have abilities that let it do that. But researchers say that thousands of apps have found ways to cheat Androids permissions system, phoning home your devices unique identifier and enough data to potentially reveal your location as well.
Even if you say “no” to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. The two apps might not seem related, but researchers say that because theyre built using the same software development kits (SDK), they can access that data, and theres evidence that the SDK owners are receiving it. Its like a kid asking for dessert who gets told “no” by one parent, so they ask the other parent.
According to a study presented at PrivacyCon 2019, were talking about apps from the likes of Samsung and Disney that have been downloaded hundreds of millions of times. They use SDKs built by Chinese search giant Baidu and an analytics firm called Salmonads that could pass your data from one app to another (and to their servers) by storing it locally on your phone first. Researchers saw that some apps using the Baidu SDK may be attempting to quietly obtain this data for their own use.
Thats in addition to a number of side channel vulnerabilities the team found, some of which can send home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and more. “Its pretty well-known now thats a pretty good surrogate for location data,” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.
The study also singles out photo app Shutterfly for sending actual GPS coordinates back to its servers without getting permission to track locations — by harvesting that data from your photos EXIF metadata — though the company denied that it gathers that data without permission in a statement to CNET.
There are fixes coming for some of these issues in Android Q, according to the researchers, who say they notified Google about the vulnerabilities last September. (They point to this of
