Some Android apps bypass permissions to access user data

  • The study examined over 88,000 apps to find 1,325 of them were flouting Android app permissions and using covert channels to access user data
  • While in majority of cases permissions were flouted to access device MAC address, in some cases the apps were able to access IMEI number, email, phone number

Over the years, app permissions have become a powerful privacy tool, allowing users to decide which data an app can or cannot access on their smartphone. However, a new study by International Computer Science Institute (ICSI) claims that thousands of Android apps can access restricted data even when users deny them permission. The study was presented at the Federal Trade Commission’s PrivacyCon in Washington DC on 27 June.

The study examined more than 88,000 apps on Play Store, and how they accessed user data on the smartphone, to find 1,325 of them were flouting Android app permissions and using covert channels to access user data. Covert channel is when an app, which has been denied permission by users, starts communication with another app that has been granted the permission to access the same data. For this, apps use common SDK (software development kit) libraries embedded within the app.

“For average users, there is no way of knowing if some app uses bad SDKs. App developers should avoid SDKs and ad-libraries providing such covert methods to collect user data," says Sanjay Katkar, joint managing director, Quick Heal Technologies.

ICSI claims it disclosed the findings to Google in September 2018. Google was yet to respond to email queries sent on Tuesday.

“Google could add more security layers to avoid this kind of misuse of SDK libraries. This new type of data mining has to be screened at the Play Store level," suggests Sachin Dev Duggal, founder and CEO, Engineer.ai.

Researchers note that Android OS protects users by sandboxing the user space in apps so that they cannot interact arbitrarily with other apps.

However, developers integrate third-party libraries in their software for things like crash reporting, analytics services, social-network integration and advertising. Any third-party service bundled in an Android app inherits access to all permission-protected data that the user grants to the app. So, if an app can access the user’s location, then all third-party services embedded in that app can access it, too.

According to the report, while in majority of cases app permissions were flouted to access device MAC address (unique number that identifies devices on a network), in some cases the apps were also able to access IMEI number (16 digit number used to identify smartphones), email, phone number and even the GPS coordinates using geo-tagging in photos.

Like IMEI, a MAC address can be used by advertisers and analytics companies to identify users. According to Kaspersky labs, it is used to track users’ movements by using smartphone as a radio beacon. By measuring the signal strength to several access points, marketers can pinpoint users’ location to within several feet. While the study was limited to Android apps, it does not completely absolve Apple’s iOS app permissions from similar misuse. Duggal, though, says that iOS is by far the safest OS on devices, since the closed ecosystem allows better control on every activity by the apps, and the apps are validated for their use case. Coming back to Android app permissions, Katkar agrees that app permission model is not fool-proof and can be exploited or misused. However, the situation would have been a lot worse if it were not present, he concludes.

Close