Sponsored By

Android App Publishers Won't Take 'No' for an Answer on Personal Data

Researchers find more than 1,000 apps in the Google Play store that gather personal data even when the user has denied permission.

App publishers like consumer data so much that they're willing to go to great lengths to get it — even when those lengths involve ignoring or working around the consumer denying them the right to that data.

At the Federal Trade Commission's PrivacyCon 2019, held in June, researchers from the International Computer Science Institute (ICSI) presented data showing that as many as 1,325 Android apps were gathering data from devices, even after the device owners had denied such permission to the apps.

The data presented at the conference is based on earlier work the researchers presented at the Usenix Security Symposium in February. In that paper, titled "50 Ways to Leak Your Data," the team of researchers from UC Berkeley, AppCensus, and Universidad Carlos III de Madrid examined more than 88,000 Android apps to see how they captured, used, and stored customer data. They found that Android apps employ a number of techniques for gathering data that the user may believe is private.

As an example, the researchers pointed to photography apps that scrape the GPS data from photographs to obtain location information after the user has denied the app the right to gather location data. Other apps inferred location information by gathering the MAC address of Wi-Fi routers the device was connected to rather than directly polling for location information.

"Apps capturing and using data in unintended ways is not new and has been a problem since the first smartphone app was introduced," says Chris Morales, head of security analytics at Vectra. "The smartphone market moved so quickly, the goal of the OS manufacturer was to ensure they had a large enough volume of apps to be relevant in the market. Security was not a primary driver and we find the OS manufacturers now having to clean up the after effects of fast growth in the app store."

According to Google, that cleanup will extend into the next major Android release. While researchers notified the company of the privacy issue in September, Google has said that it won't address the "side-channel" information gathering until the release of Android Q, scheduled for October 2019.

Until Android Q is available, those using Android phone will simply have to be careful about the apps they install, even when those apps are downloaded from Google Play. Terence Jackson, CISO at Thycotic says, "Data privacy is all the rage now, GDPR, CCPA, LGPD, just to name a few. But this story highlights the importance of app store owners to implement a more Zero Trust model toward their developers and implement ongoing strategies to evaluate application security."

Related content:

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights