Android Apps Getting Personal Data Even When Users Explicitly Deny Them

Many Android applications were retrieving personal data even when users didn’t give them permission to do so, a new study has revealed.

Android has improved the way it informs people about the permissions apps require when installed. It’s a system that’s way better now than it used to, but it turns out that even if Android asks people if they want to grant an app a certain permission, it’s doesn’t really matter. Some apps will pull relevant data from the phone, even if they should not be able to.

Privacy and the notion of personal data are two of the most important aspects in today’s world, and the fact that both of those issues are basically ignored by so many Android apps is worrying, especially if what the study revealed turns out to be true.

Not just an isolated incident

A study named “50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System,” put forward by researchers from University of Calgary, Universidad Carlos III Madrid, and U.C. Berkeley revealed that thousands of apps have been doing some very shady stuff.

Also, according to a report from Adrian Colyer, the researchers built a Google Play scraper, which downloaded 252,864 versions of 88,113 different Android apps. All the apps were run in a controlled environment that allowed researchers to monitor all I/O (writing and reading) events and network traffic.

The most interesting aspect was that apps were pulling data like the MAC address, the IMEI number, and other information, even when the user denied them access. This was possible because it was done through whichever SDK the app was running off. Some of the SDK includes Salmonads (a third-party developers’ assistant platform in Greater China), Baidu’s Maps SDK, and even OpenX SDK.

The researchers also calculated that Baidu’s Maps SDK is used 2.6 billion installations for apps, which means that the real number is likely much more significant. The conclusion of the research could be only one.

“The behaviors that we document in this paper constitute clear privacy violations. From a legal and policy perspective, these practices are likely to be considered deceptive or otherwise unlawful.”

The only good news is that Google has been notified about the problems, and many of them have been fixed in Android 10. The downside is that much of the market is not running on Android 10, and won’t do so for a long time.