When you grant an app permission to access certain data, you probably expect that denying access means that the app simply can’t access the data. Turns out, that may not be altogether true. According to a new report, over 1,000 apps have found ways to bypass those restrictions, essentially allowing them to gather data without the user knowing.
The academic study, which was published on the FTC website, shows that 1,325 of the 88,000 apps that were studied collected such information as geolocation data and phone identifiers, even if the apps weren’t given the permission to do so. There are some pretty popular apps on the list, too — including the Shutterfly app. Baidu was also collecting data through its mapping service — meaning that apps like the Hong Kong Disneyland app, which use Baidu’s mapping service, have been collecting data without permission. Other apps like the Samsung Health and Samsung Browser app also used Baidu back-end and collected data, resulting in other Baidu apps being able to read that data.
Shutterfly, for its part, denies any wrongdoing.
“Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement,” said the company in a statement to CNET.
Some apps used more nefarious methods than others. For example, around 13 of the apps researched piggybacked off of other apps to get access to user data. These apps, which were installed over 17 million times, could read through files that were unprotected, and included the Hong Kong Disneyland app.
So what can be done to prevent these apps from collecting this data? Considering the fact that permissions are supposed to be how we control what data apps can collect, not much. The researchers in the report note that they’ve alerted Google to the issue and that Google has said that it should be fixed in Android Q, which is set to be released later this year. Even with such a fix, there are a ton of phones that won’t get access to Android Q, leaving users vulnerable to having their data collected without their permission. Apart from the fact that the apps in question shouldn’t be collecting data like this, Google should also upgrade how permissions work for all users, even those with older handsets.
Editors’ Recommendations
- Around 40% of Android and iOS apps have high-risk vulnerabilities
- Huawei’s EMUI 9 operating system is already on 80 million devices
- HMD Global is moving all Nokia user data to Finland to better protect it
- Google could soon deliver system updates through the Play store
- Android 10 Q hands-on review