1000+ Android Apps Harvest Our Data Without Our Permission

Researchers from the International Computer Science Institute have reported that up to 1,325 Android apps are gathering data from devices after people have denied them permission, and Google claims that it will address the problem with the introduction of the new Android “Q” Operating System.

Apps Finding Way Around Privacy Restrictions

According to the ICSI researchers, who presented their findings last month at the Federal Trade Commission’s PrivacyCon, 1000+ apps are finding their way around privacy restrictions and are able to gather geolocation data, phone identifiers, and other data from users who may be thinking that they have successfully denied apps access to such data.

For example, in the study of 88,000+ apps from the Google Play store, the researchers were able to identify 1,325 apps that violate permissions on Android by using workarounds hidden in their code that can enable personal data to be taken from multiple sources including Wi-Fi connections and metadata stored in photos.

Which Apps?

The researchers highlighted apps such as Shutterfly photo-editing app which gathers GPS coordinates from photos and sends the data to its own servers, even after users have declined to give permission to access location data, and Baidu’s Hong Kong Disneyland park app and Samsung’s Health and Browser apps were found (like 13 other apps) to be able to piggyback off other apps that had been granted permission in order to obtain data like phone identifiers and IMEI numbers.

Android Q Could Help

It is thought the introduction of the latest (17th) version of Android’s Operating system, Android Q, released as a beta on March 13th and due for wider release later this year may be able to address many of these privacy concerns thanks to more stringent security features.  For example, users will be able to definitively choose and control when apps have permission to see their location i.e. never, only when the app is in use and running, or all the time when in the background. With Android Q, background apps won’t be able to jump into the foreground, and there will also be new permissions relating to the accessing of background photos, video, and audio files.

What Does This Mean For Your Business?

With mobile and app use being a normal part of everyday life, and with most people unable and unlikely to spend the time checking permissions and T&Cs on everything, we have to take on trust that when we deny it permissions, an app will abide by our decisions.  It may be a surprise, therefore, at a time when GDPR is in force and data privacy and security is a topic that many users think about and actively try to protect that so many apps are able to find workarounds that enable them to keep gathering data about us. It appears that it may be much more difficult to stay private online than many of us believe.

It is good news, therefore, that Android Q may provide a way to offer us greater protection and provide more of a challenge to companies and organisations that want access to our data e.g. to help target us with advertising, even though app developers may argue that they are simply using the gathered data to help enhance and personalise our experiences of their apps (to keep us using them).  App developers are in a highly competitive and crowded market and although gathering and using customer data to make their apps more indispensable may seem legitimate, most of us value our online privacy, would object to having our data permissions effectively ignored, and may feel frustrated that we still have so few tools and cues to help us effectively control our privacy.