Another attack on the privacy of users within several hundred Google Play Store apps, also commonly used. According to security research, to be precise there are 1325 apps that collect data without permission.
According to a research carried out by the International Computer Science Institute (ICSI) and presented at PrivacyCon 2019, on the Play Store there are many apps that can bypass users’ denied permissions to collect data, such as location data.
If you thought it was enough to deny a flashlight app – for example – to prevent it from having access to the call history, it seems you were wrong. These are the words of Serge Egelman, director of security and privacy research at ICSI:
“Basically consumers have very few tools and ideas that they can use to control their privacy in a reasonable way and to make decisions about it. If app developers manage to evade the system, asking for permits from consumers is relatively meaningless.“
According to Egelman, the researchers have warned Google and the Federal Trade Commission (FTC) of these problems last September, but the solution from the Mountain View house should arrive only with Android Q, expected next month. The update will solve the problem by hiding the location information and requesting that all apps that will have access to Wi-Fi have the authorization to access the location.
The researchers analyzed more than 80,000 applications of the Google Play Store: of these, 1325 have violated the rules by using hidden solutions to collect personal data from Wi-Fi connections and metadata stored in the photos. One of these is Shutterfly, a photo-editing app, had been gathering GPS coordinates from photos and sending that data to its own servers, even when users declined to give the app permission to access location data.
A Shutterfly spokeswoman said the company would only gather location data with explicit permission, despite what researchers found.
But it’s not over here: based on the above, some apps (153, including Samsung Health and Internet Browser) may rely on other apps that are granted authorization to look at personal data, piggybacking off their access to gather phone identifiers like your IMEI number. These would be able to read unprotected files on the device’s SD card, collecting data they should not have accessed. To exploit this “only” 13 apps, but downloaded more than 17 million times: among these were Baidu and Hong Kong Disneyland. Both Disney and Baidu (as well as Samsung) have not issued statements.
Further details, including the complete list of apps, will be announced by Egelman at the Usenix Security conference to be held in August.