The big picture: Researchers at the Usenix Security Conference today were awarded a bug bounty by Google after they detailed how a number of Play Store apps are able to essentially ignore your permissions and even share access between each other to what’s on your smartphone, from ways to identify you and track your location to outright sharing of access permissions between apps that you’ve set up differently.
We’ve become used to the idea of app stores that are supposed to be populated by curated apps with no malicious intent. Both Google and Apple force apps to ask you for permission to use your contacts list, messages, files, camera or location, but those apps do have alternative ways to funnel that data even after you’ve denied them access.
In the case of Android apps, researchers at the International Computer Science Institute found at least 1,300 apps from a pool of 88,000 studied that have no less than 50 ways to circumvent what you didn’t consent to on the Permissions screen. They span the entire range of categories, and even popular third-party SDKs and libraries were examined, only to find them littered with code that can be used for storing personal user data.
The findings were presented at the Usenix Security Conference and highlight two common ways in which Play Store apps circumvent access restrictions. The first has to do with Android and third-party SDK vulnerabilities, such as with Unity which somehow allows dozens of apps to store unique identifiers for your mobile device.
The second one is called “covert channels,” which is short speak for apps that have a clever or unorthodox way to share user information with apps that don’t have the same permissions. For example, third-party libraries from Chinese companies Baidu and Salmonads use the SD card to store sensitive information that can then get passed to apps that shouldn’t technically have access to it. Mind you, there are 153 such apps that are installed on over 500 million devices.
Google rewarded the researchers for the findings and has promised to address the issues in Android Q, which is supposed to have a focus on privacy.
In any case, the company has an even bigger responsibility on its hands that it can’t ignore, as malicious apps can dwell in the Trending section of the Play Store long enough to affect hundreds of thousands of users.
When it comes to protecting our personal data, few of us take the time to address how much of it is gobbled up by tech companies, even though there are just a few simple steps that can help you do just that and they cost nothing at all.