When you install an app on your Android phone, you typically need to approve a few permissions before you can start using the app. These permissions are designed to protect your data by preventing apps from accessing things like your location and phone identifiers.
However, a new study uncovered over 1,000 Android apps that collect that data, even if you deny permission.
The study comes from researchers at the International Computer Science Institute (ICSI) found up to 1,325 apps that gather data regardless if people accept permissions. Researchers looked at more than 88,000 apps on the Google Play Store.
The 1,325 violating apps used hidden code that collected personal data from sources like Wi-Fi connections and metadata stored in images.
For example, photo-editing app Shutterfly gathered GPS coordinates from photos and sent the data to its own servers even when users denied the app’s permission to access location data.
A Shutterfly spokesperson told CNET that it only gathered location data with explicit permission, and did so in accordance with its privacy policy and the Android developer agreement.
The ICSI study found some apps scraped data from apps users had granted permissions too. Essentially, certain apps were set up with a file that it could write information to, such as the IMEI. Then, other apps with the same file that didn’t have access to the IMEI could instead read the file and obtain the information.
Researchers found only about 13 apps that read IMEI information this way, but those were installed more than 17 million times. One of the apps was Baidu’s Hong Kong Disneyland park app.
Neither company responded to CNET’s request for comment.
Further, 153 apps could write IMEI information to the file. Samsung’s Health and Browser apps are the most popular of the 153 apps, according to researchers, with some 500 million installs.
Samsung also did not respond to CNET’s request for comment.
The study showed other apps gathered location data by connecting to a user’s Wi-Fi network and obtaining the router’s MAC address.
The researchers notified Google and the FTC about the issues last September, and Google plans to fix the vulnerabilities in Android Q, expected to release later this year. The update will hide location data in photos from apps and require apps with Wi-Fi access to also have location permissions.
ICSI will release details along with a list of the 1,325 apps when it presents its study at the Usenix Security conference in August. In the meantime, you can read the study here.
