There is a concept of consent which Android apps ‘pretend’ to practice through permissions. Even after not permitting those apps, they are found to harvest the personal data. The researchers have found such apps to be around 1325 on Google Play store.
Researchers at the International Computer Science Institute (ICSI) found that thousands of app on the Android app store manage to skirt restrictions and gather precise geolocation data and phone identifiers, without user consent.
The study looked at over 88,000 apps on Google Play and tracked how data was transferred from the app when a user denied permissions. Of these, they found 1,325 apps that violated the permission policy and relied on workarounds to retrieve user data without their knowledge. These apps were taking personal data from sources like Wi-Fi connections and metadata stored in photos.
Reportedly, a photo-editing app, Shutterfly, was found to be gathering GPS coordinates from photos and sending that data to its own servers, even when users declined to give the app permission to access location data. In a statement to CNET, however, Shutterfly denied the researchers’ claims.
There were also apps that were relying on other apps that were granted permission to look at personal data like your IMEI number.
These apps were apparently getting the information via unprotected files on a device’s SD card and collected data that the user originally denied to them.
This basically means, if you grant access to some data to app A, and the said app stores this data on your SD card, then app B, even though you declined access, can still spy and take private information. The tactics used to overcome app restrictions are amusing at times.
In 2018, apps from a well-known cyber-security company were taken down from the Mac App Store by Apple after they were reported to export user data. According to researchers, there are several apps in the App Store that were stealing and abusing user data. Apple immediately removed these offending apps from the store.
The researchers apparently notified Google about these issues last September. Google said it would be addressing the issues in Android Q, which is expected to release this year.
The question is, why the apps stores are so powerless against such information-sucking apps. Does the privacy of the customer matter anything to Google? Let’s hope, that the much awaited Android Q add a dimension of data security in the Android smart phones.