Rationally a mobile app should do exactly what you ask from it but in the real world, this is not the case. A recent study that was presented at PrivacyCon 2019, it was discovered that millions of applications track users’ phones even when they are not permitted to. According to the researchers of the study, thousands of applications have found illegal ways to cheat through Android’s permission system that enables them to locate your location.
Even if you have said ‘no’ to a newly downloaded app when it comes to tracking option, the application can get access to identifying bits of data to track you. This usually happens because of two reasons: another application that is trusted by you and has been given permission can share information with the new app or the information is saved in a shared storage, where every application can access it. The reason why two different applications can share information is that they are developed using the same software development kits (SDK).
The study revealed that even apps like Disney and Samsung are using users’ information and sharing it with other applications, without the users’ knowledge and permission. Both Samsung and Disney use SDKs that are built by Baidu (Chinese search giant) and Salmonads (analytics firm), which share information among applications and on their servers by storing data locally on the phones. The researchers are witnessed that some of the applications using Baidu SDK were stealing data from users for their own benefits. The private data of users is then sold to marketers, advertising agencies and in some cases for illegal purposes. According to the researchers,
“We tested our pipeline on more than 88,000 apps and
discovered a number of vulnerabilities, which we responsibly disclosed. These apps were downloaded from the
U.S. Google Play Store and include popular apps from
Along with this, researchers found a number of other vulnerability points too. For instance, some apps can even send the unique MAC addresses of the users’ networking chip and router, its SSID and the wireless access point. Serge Egelman who is the research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI) said, “It’s pretty well-known now that’s a pretty good surrogate for location data”, while presenting the study.
The study also shed light on the photo app, Shutterfly. Although Shutterfly has previously denied the fact that it collects data of its users without getting permission, it was discovered that the application sends real-time GPS coordinates of the users to its servers. All of this happens without the user giving tracking permission to the application or having any knowledge about this.
On a flipside, as the researchers have shared their concerns about the privacy issues with Google – it is expected that Android Q will have them fixed. Unfortunately, any Android phone that will not be updated to the new software will remain vulnerable to this privacy attack. It is interesting to note here that the majority of Android phones never update to the latest software version. For instance, till May of 2019 – merely 10.4% of the Android devices were running on the latest Android P software.
Google has declined to make any comments about the vulnerabilities of its Android software but it is high time that the tech giant takes responsibility and provides its users with privacy and security of their personal data.
For an average user, who is not tech-savvy and has no idea about what is happening behind-the-scenes, it is truly devastating. The sensitive information can be manipulated, used and shared with anyone – which is a breach of privacy and security.
PrivacyCon is annual event, hosted by FTC. The fourth annual PrivacyCon event was held on June 27, 2019 where researches were presented on a vast number of security issues and privacy problems that consumers face in the digital world. One of the studies that was presented during the event was ‘50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System’.