More than 1,000 Android apps discovered to harvest data even after you deny permissions

nanoguy

TS Addict
Staff member

We’ve become used to the idea of app stores that are supposed to be populated by curated apps with no malicious intent. Both Google and Apple force apps to ask you for permission to use your contacts list, messages, files, camera or location, but those apps do have alternative ways to funnel that data even after you’ve denied them access.

In the case of Android apps, researchers at the International Computer Science Institute found at least 1,300 apps from a pool of 88,000 studied that have no less than 50 ways to circumvent what you didn’t consent to on the Permissions screen. They span the entire range of categories, and even popular third-party SDKs and libraries were examined, only to find them littered with code that can be used for storing personal user data.

The findings were presented at the Usenix Security Conference and highlight two common ways in which Play Store apps circumvent access restrictions. The first has to do with Android and third-party SDK vulnerabilities, such as with Unity which somehow allows dozens of apps to store unique identifiers for your mobile device.

The second one is called “covert channels,” which is short speak for apps that have a clever or unorthodox way to share user information with apps that don’t have the same permissions. For example, third-party libraries from Chinese companies Baidu and Salmonads use the SD card to store sensitive information that can then get passed to apps that shouldn’t technically have access to it. Mind you, there are 153 such apps that are installed on over 500 million devices.

Google rewarded the researchers for the findings and has promised to address the issues in Android Q, which is supposed to have a focus on privacy.

In any case, the company has an even bigger responsibility on its hands that it can’t ignore, as malicious apps can dwell in the Trending section of the Play Store long enough to affect hundreds of thousands of users.

When it comes to protecting our personal data, few of us take the time to address how much of it is gobbled up by tech companies, even though there are just a few simple steps that can help you do just that and they cost nothing at all.

Permalink to story.

 

Jimster480

TS Booster
USE CUSTOM ROMs people! ffs! Everyone knows this at this point... or at least anyone that has ability to read and write...
Using a custom rom doesn't fix this problem at all.
unless you make using your phone a part time job by locking down every aspect of it with tons of custom utilities.
Because apps creating files that then other apps can read is hard to prevent... and some apps don't work without specific permissions.
 
TBH I am not even surprised, it's happening on iOS and it's happening on Android as well.
Only a delusional person thinks his device is "safe", nobody can crack it, nobody will track you etc.
I agree, but it's funny how I get all my comments deleted here that say exactly the same thing as you, and then a couple days later they "break the news".

Techspot, take note: that's not "trolling", it's DRAGONING. Get over it.
 

Markoni35

TS Addict
I agree, but it's funny how I get all my comments deleted here that say exactly the same thing as you, and then a couple days later they "break the news".
Yeah, I get that a lot too. Seeing too much into the future. Some sites are even worse.

For example TED.com is extremely conservative and dogmatic, for an allegedly very liberal and open-minded site. They are worse than Spanish Inquisition a few hundred years ago. Criticism of a talk is not allowed. You can only agree. So no wonder that almost all the comments agree with the talk, when they disable the comments that didn't. They've learned democracy from North Korea.
 
  • Like
Reactions: Athlonite

hk2000

TS Booster
People actually believe the "permissions" thing? If it enters your device (it meaning your data), you must assume it's public.
 
Last edited:
  • Like
Reactions: Athlonite