More than 1000 Play Store apps collect data without permission

Another attack on the privacy of users within several hundred Google Play Store apps, also commonly used. According to security research, to be precise there are 1325 apps that collect data without permission.

According to a research carried out by the International Computer Science Institute (ICSI) and presented at PrivacyCon 2019, on the Play Store there are many apps that can bypass users’ denied permissions to collect data, such as location data.

If you thought it was enough to deny a flashlight app – for example – to prevent it from having access to the call history, it seems you were wrong. These are the words of Serge Egelman, director of security and privacy research at ICSI:

Basically consumers have very few tools and ideas that they can use to control their privacy in a reasonable way and to make decisions about it. If app developers manage to evade the system, asking for permits from consumers is relatively meaningless.

According to Egelman, the researchers have warned Google and the Federal Trade Commission (FTC) of these problems last September, but the solution from the Mountain View house should arrive only with Android Q, expected next month. The update will solve the problem by hiding the location information and requesting that all apps that will have access to Wi-Fi have the authorization to access the location.

The researchers analyzed more than 80,000 applications of the Google Play Store: of these, 1325 have violated the rules by using hidden solutions to collect personal data from Wi-Fi connections and metadata stored in the photos. One of these is Shutterfly, a photo-editing app, had been gathering GPS coordinates from photos and sending that data to its own servers, even when users declined to give the app permission to access location data.

A Shutterfly spokeswoman said the company would only gather location data with explicit permission, despite what researchers found.

“Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement,” the company said in a statement.

But it’s not over here: based on the above, some apps (153, including Samsung Health and Internet Browser) may rely on other apps that are granted authorization to look at personal data, piggybacking off their access to gather phone identifiers like your IMEI number. These would be able to read unprotected files on the device’s SD card, collecting data they should not have accessed. To exploit this “only” 13 apps, but downloaded more than 17 million times: among these were Baidu and Hong Kong Disneyland. Both Disney and Baidu (as well as Samsung) have not issued statements.

Further details, including the complete list of apps, will be announced by Egelman at the Usenix Security conference to be held in August.

Avatar
Izaan Zubair
Izaan is founder of TechLapse. Izaan developed interest in computers from young age and most of his skills and knowledge are self taught. He can be reached at: [email protected]

Recent News

OPPO outpaced Xiaomi with hidden camera below the screen

Notch was the solution found by manufacturers to extend the screen of their smartphones without removing the front camera. However, OPPO and Xiaomi, independently, are...

Xiaomi prepares hidden camera on screen, will it come with Mi MIX 4?

Xiaomi is increasingly in a strong position in the smartphone market. Today news has surfaced that its 4th place as the largest smartphone maker has been consolidated. Their...

New device can control tremors related to neurological disorders

Tremors occur when muscles contract and relax repeatedly. Some neurological disorders, such as Parkinson's disease, can cause muscle tremors. A tremor is an involuntary...