Over 1,300 popular Android apps defy user permissions and gather sensitive data with no consent, according to a study by a coalition of academics from the International Computer Science Institute.
The report examined popular mobile apps available through the U.S. version of the Google Play store, including apps published by Disney, Samsung and niche app-makers such as the popular photo app Shutterfly. What researchers found was that many of the apps extracted sensitive user information – including current geolocation data, historical geolocation data and MAC addresses – without consent.
In one example of how the circumvention takes place, researchers cited Shutterfly. Despite a user not giving the app permission to access private user information, Shutterfly collects GPS data using exchangeable image file format (EXIF) metadata from user images, researchers said.
“We observed that the Shutterfy app sends precise geolocation data to its own server without holding a location permission,” researchers wrote. Shutterfly gleans precise phone location data from the EXIF data generated by each image, which embeds the GPS coordinates in each image taken. “The app actually processed the image file: it parsed the EXIF metadata—including location—into a JSON object with labeled latitude and longitude fields and transmitted it their servers.”
What Shutterstock has in common with the other apps singled out by researchers is that they all use the same software developer kit (SDK) made by the China-based Baidu, with help from an analytics firm called Salmonads.
Researchers explain the SDK is used by all 1,300 apps it analyzed, so each share the same underlying framework. Where things become problematic is when, for example, the framework is shared between two apps. One app restricts access to location data and the other is allowed to share it. Researchers say the SDK sometimes sidesteps restrictive permissions of one app and adopts the rules of the other app that shares user data.
In this way, an app doesn’t have to get Android device-level permission to access geolocation data. The app can take advantage of the shared SDK framework and collect geolocation data from another app that does have location permissions, instead.
“Our work shows a number of side and covert channels that are being used by apps to circumvent the Android permissions system,” the researchers wrote. “The number of potential users impacted by these findings is in the hundreds of millions.”
Researchers said this practice defies users’ reasonable expectations of privacy and that the behaviors may constitute violations of various laws.
That said, researchers do not believe Shutterfly had any malicious intent; an assertion shared by the company in a statement.
“Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement,” the company stated. A Shutterfly spokesperson added in a statement that its app only collects personal information with a user’s explicit permission.
However, researchers note the side effect of this type of inadvertent data collection might not always be innocent.
Researchers describe two ways data can be share without consent. One is via a “side channel” where data is inadvertently do to a flaw in design that accidentally leaks data. The second is “covert channels”.
“A covert channel is a more deliberate and intentional effort between two cooperating entities so that one with access to some data provides it to the other entity without access to the data in violation of the security mechanism,” researchers wrote.
The study was released Monday (PDF) by the Federal Trade Commission as a follow-on to its PrivacyCon 2019 confab last month. The study examined 88,113 popular apps from the U.S. Google Play store, and found that 1,300 of the apps and third-party libraries that employ side channels or “covert channels” to circumvent Android’s security measures. In all cases, apps could access the location data and MAC address of users’ devices.
Researchers contacted Google and the FTC in September after its’ final analysis. Google said its Android Q, expected to released later this year, will address this type of permission abuse.