More than 1,000 Android apps "deceptively" harvest personal data

Researchers have discovered more than 1,000 Android apps have the power to share and receive personal information even when the user explicitly forbids the collection of data.

The findings were presented to attendees at PrivacyCon 2019 in the US, and they don't just focus on obscure apps. Indeed, big name firms including Disney and Samsung were cited for releasing apps that flout the privacy conventions users have come to expect.

All of the affected apps share one commonality - they all run on the same software developer kit (SDK). The one in question here is made by Chinese tech giant Baidu with help from an analytics firm called Salmonads.

SDKs are sets of tools given to developers to make building applications easier - like a framework on which to base the project instead of having to code it all from scratch. It's like if all VW Polos, Audi S3s and Ford Focus' were built using the same axel - they're all different but share the same backbone.

Let's imagine there are two apps: App 1 and App 2. Both are built on the same Baidu SDK but the user has revoked permissions for App 1 to collect personal data. The user hasn't revoked App 2's data collection permissions, though. So, because of this, App 1 can still gather data from App 2's collection as they're both built on the same SDK.

In terms of what data has actually been collected, it's a bit of a mixed bag. Device MAC addresses were the most pervasively collected forms of data, but router MAC addresses and device IMEI numbers were also collected. In one particular case, GPS data was also gathered.

The app that collected GPS data is called Shutterfly and has been downloaded more than 138,000 times on the Google Play store at the time of publication. It collected GPS data using EXIF metadata from user images and sent it back to its own servers with no location permission.

"While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user's location," read the study. "Whenever a new picture is taken by the user with geolocation enabled, any app with read access to the photo library can learn the user's precise location when said picture was taken.

"Furthermore, it also allows obtaining historical geolocation fixes with timestamps from the user, which could later be used to infer sensitive information about that user," it added.

In reference to the apps acquiring MAC address information, the researchers said Android natively protects access device and router MAC addresses with separate permissions. Regardless, they still observed apps accessing the addresses without having the permissions.

The apps gained access to the addresses with side-channels, using C++ native code to invoke a number of unguarded UNIX system calls. These methods were referred to as "deceptive" which could mislead even the most diligent user.

The US' Federal Trade Commission (FTC) has fined mobile operators and third-party libraries for exploiting side-channels and using MAC addresses to infer a user's location.

The researchers said that with the next version of the mobile operating system Android Q which is currently in beta, some of the issues outlined by their findings will be fixed, but that might not be good enough.

Android OS updates are not mandatory and many users, according to statistics, aren't very diligent when it comes to upgrading to the latest version - just 10.4% of Android users are on the latest Android 9 Pie installation, for example.