Skip to main content

Report: Over 1,000 Android apps take your data, even despite permission blocks

According to a report presented at PrivacyCon 2019, there are over 1,000 popular Android apps on the Google Play Store that still take your personal data, even despite not having the correct permissions to do so.

Within Android, you can explicitly block an app’s permission to track your phone. The problem here is that researchers found that over 1,000 Android apps were able to get around that blocked permission to track your device’s unique identifier and still gather enough data to potentially get hold of your precise location.

The study scrutinized more than 88,000 apps from the Google Play store and tracked how data was being transferred from the apps once they were denied certain permissions. 1,325 apps outright violated permissions on Android by using specific workarounds hidden their code to take personal data from sources like Wi-Fi connections and the metadata stored in your photos.

The research team found that certain Android apps could essentially piggyback off data gathered by applications with access or permissions granted. As they have been built using the same SDKs, they can essentially access that data via that channel.

Some of these apps were also able to read through unprotected files on a device’s SD card and get access to data they didn’t have permission to access through circumnavigation.

CNET notes that only 13 apps were, in fact, doing this, but they were installed more than 17 million times. The list includes apps like Baidu’s Hong Kong Disneyland park app and even some from Samsung. Most of these apps were built using SDKs built by Chinese search company Baidu.

There are a total of 153 Android apps found to have the SD card circumnavigation access capability, including Samsung’s Health and Browser apps, which as we know, are installed automatically on all Samsung phones. The researchers estimate these apps are found on over 500 million devices globally.

The full details of the 1,325 offending apps that the researchers found will be shared at a Usenix Security conference in August. There are some fixes coming for these vulnerabilities with the upcoming release of Android Q, which is noted by the research team, who passed their findings on to Google as long ago as September 2018.

Obviously one of the biggest issues will be the lack of devices that will gain access to Android Q in the coming months. It’s unknown if Google will roll out any sort of hotfixes for the issue in the future either — with over 60% of Android phones running the outdated Android Nougat.

More on Android:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:



Avatar for Damien Wilde Damien Wilde

Damien is a UK-based video producer for 9to5Google. Find him on Twitter @iamdamienwilde. Email

Damien Wilde's favorite gear