Suppose an Android app asks to access your location data, and you decide you have no use for that feature, does the app follow the rules? Maybe not all the time.
Over a thousand Android apps apparently can sneak past Google's restrictions and access your phone info and location data even when you've denied the apps permission, according to an academic study.
At PrivacyCon 2019, a study was presented talking about various apps the likes of Disney and Samsung - basically apps that have been downloaded by a hoard of people. They use SDKs designed by Chinese search engine Baidu and analytics firm called Salmonads that could pass your data from one app to another, including their servers, by storing it locally on your phone first. Researchers have found out that some apps that use the Baidu SDK potentially obtain this data for their own use.
Some apps were reliant on other apps that were granted permission to obtain personal info, piggybacking off their access to gather phone identifiers like your IMEI number. These apps will then have access to unprotected files on a device's SD card and gather data that were restricted from them in the first place. So if you let other apps access personal data, and they stored it in a folder on the SD card, these spying apps would be able to take that information.
"The number of potential users impacted by these findings is in the hundreds of millions," the study concludes. "These deceptive practices allow developers to access users' private data without consent, undermining user privacy, and giving rise to both legal and ethical concerns."
Researchers say that fixes are on its way via the Android Q. They apparently have notified Google about these vulnerabilities in September, but a concern is that it may not help the lot of Android users that won't get the Android Q update. (As of May, only 10.4 percent of Android devices had the latest Android P installed, and over 60 percent were still running on the nearly three-year-old Android N.)
The researchers believe that Google should be able to do more and continue to roll out fixes within security updates in the meantime. After all, every Android user deserves security and not just those with newer phone models.
Google hasn't said anything about this issue, however, it did confirm that Android Q will be able to hide a user's location info from photo apps as a default setting. It will also require photo apps to inform the Play Store if they can access location metadata.
