More than 1,000 Android apps evade permissions and share data anyway
Shift from 'ask on install' to 'ask on first use' enables Baidu Android SDK to exfiltrate user data
More than 1,000 Android apps are sharing personal data, regardless of the permissions set by users.
That's according to research presented at this year's PrivacyCon, which demonstrated that a number of Android apps, including apps from well-known publishers, such as Disney, circumvent Android's permissions in order to exfiltrate share personally identifiable data from users' devices.
According to the researchers, the main causes are software development kits (SDKs) developed by Chinese developer Salmonads and Chinese search giant Baidu, with which the apps have typically been built.
The Baidu SDK, for example, enables aps to pass data between apps developed with it, regardless of the permissions set when an app is installed, taking advantage of changes to the Android permissions system introduced by Google a few years ago.
"The Android permissions system has evolved over the years from an ask-on-install approach to an ask-on-first-use approach. While this change impacts when permissions are granted and how users can use contextual information to reason about the appropriateness of a permission request, the
backend enforcement mechanisms have remained largely unchanged," warn the researchers in their paper.
"Apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels," they add, revealing that more than 88,000 apps were studied across the US Google Play Store.
Because of the changes from ‘ask on install' to ‘ask on first use', without any additional security, app developers can start busting Android permissions during installation - before the app has even been opened and the user presented with their options. The exfiltrated data includes MAC address and connection details, which can be used to geographically identify users. Some apps also transmit GPS coordinates back to base.
"We also discovered that third-party libraries provided by two Chinese companies - Baidu and Salmonads - independently make use of the SD card as a covert channel, so that when an app can read the phone's IMEI, it stores it for other apps that cannot. We found 159 apps with the potential to exploit this covert channel and empirically found 13 apps doing so," the researchers warn.
They added: "We found one app that used picture metadata as a side channel to access precise location information despite not holding location permissions."
The researchers consider the security flaws so pernicious that they have shared their research with both Google and the US Federal Trade Commission. It may also contravene GDPR, potentially putting Google at the mercy of data protection authorities across the European Union in the same week that the Information Commissioner's Office (ICO) declared its intention to fine British Airways £183 million over its security breach last year.
Some of these security and privacy issues ought to be fixed with the upcoming release of Android Q, which will stop embedding GPS coordinates into images by default and won't identify shared contacts by the frequency with which you interact with them.
However, the research implies that Google will need to conduct more in-depth surgery in order to eradicate the security and privacy issues entirely.