When you deny an Android app “No, you’re not allowed to track my phone” that means the app won’t be able to use those abilities. But researchers have reported that thousands of Android Apps have found a way to fool the Android’s Permission System, collecting your Phone’s unique identifier and enough data to reveal your phone’s location.
Like if you have denied one app from accessing your data and you have allowed other apps to access it, that means if the allowed app has stored the data on shared storage, other apps and the unallowed apps can also read the data.
These apps doesn’t seem related but the researchers says that the they’re built using the same software development kits (SDK), they can access that data, and there’s evidence that the SDK owners are receiving it.
According to a study presented at the PrivacyCon 2019, and it adds apps from Samsung and Disney which have hundreds of million of downloads. These apps use SDKs built by Chinese search giant Baidu and an analytics firm called Salmonads that could pass your data from one app to another (and to their servers) by storing it locally on your phone first. Researchers saw that some apps using the Baidu SDK may be attempting to quietly obtain this data for their own use.
In addition to the study, the researchers found that some of the apps can send home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and more.
“It’s pretty well-known now that’s a pretty good surrogate for location data,” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.
The study singled out the Photos app Shutterfly for sending actual GPS coordinates back to its servers without getting permission to track locations — by harvesting that data from your photos’ EXIF metadata — though the company denied that it gathers that data without permission in a statement to CNET.
Researchers say that they have informed Google about these vulnerabilities in September 2018 and this could be fixed in the upcoming Android Q update (confirmed with this update). But it seems like the Android Q update won’t reach the current-generation Android Phones (As of May, only 10.4 percent of Android devices had the latest Android P installed, and over 60 percent were still running on the nearly three-year-old Android N)
Researchers say that Google needs to do more to fix these issues for all Android version within the security updates. “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here,” said Egelman.