New Delhi: Did you know your smartphone app can access the restricted data despite denying the permission?

According to a June 2019 study by International Computer Science Institute (ICSI) there are thousands of apps on Play Store which are capable of accessing restricted data even if they don’t have the permission. These apps are exploiting common SDK (software development kit) libraries embedded in the apps to communicate with another app that has been granted the permission to access the same data. These third-party libraries are often used for analytics services, social-network integration and advertising.

Most apps, be it on Android or iOS, collect user information right from the moment they sign up for them with their email, phone number or social media accounts. App developers use this data to improve the user experience or monetise them by sharing it with advertisers.

While some do this legally, by being upfront in their privacy policy and seeking due permission from the user, there are many developers who secretly mine the information that users never allowed them to access.

Kaspersky Labs points out users can identify apps that have been spying on them by using services like AppCensus and Exodus Privacy. The former uses dynamic analysis to study the behaviour of Android apps and can enlighten users on what personal data they are collecting and who they are sharing it with. Exodus Privacy takes it a step further by studying apps directly and looking for built-in trackers. These are designed to gather information about users which could be used to show them more personalised ads. It also examines app permissions more closely to identify apps that pose a privacy and security risk.

Researchers at Kaspersky Labs used the two apps to analyse a selfie camera app which has over 5 million downloads on the Play Store. Exodus Privacy found that the app was asking for permission to access device location. While permission to access the camera is understandable since it is selfie app, permission to access location is not strictly necessary for it to operate. Many apps do this to add geotags to photos EXIF (exchangeable image file format). Studies have showed that this is a privacy risk in itself.

Analysis by AppCensus revealed that the selfie camera wasn’t using the device’s location for geotagging photos. Instead it was sending the location data along with the device’s 16 digit IMEI number, MAC address (used to identify a device on the Internet or local network), and Android ID (a code assigned to your system), to a Chinese IP address in an unencrypted format. Kaspersky rues, that in their privacy policy the developers assure that they do not collect any personal data or share device location details with anyone.

My Reads Logout