Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Android App Publishers Won't Take 'No' for an Answer on Personal Data

Researchers find more than 1,000 apps in the Google Play store that gather personal data even when the user has denied permission.

App publishers like consumer data so much that they're willing to go to great lengths to get it — even when those lengths involve ignoring or working around the consumer denying them the right to that data.

At the Federal Trade Commission's PrivacyCon 2019, held in June, researchers from the International Computer Science Institute (ICSI) presented data showing that as many as 1,325 Android apps were gathering data from devices, even after the device owners had denied such permission to the apps.

The data presented at the conference is based on earlier work the researchers presented at the Usenix Security Symposium in February. In that paper, titled "50 Ways to Leak Your Data," the team of researchers from UC Berkeley, AppCensus, and Universidad Carlos III de Madrid examined more than 88,000 Android apps to see how they captured, used, and stored customer data. They found that Android apps employ a number of techniques for gathering data that the user may believe is private.

As an example, the researchers pointed to photography apps that scrape the GPS data from photographs to obtain location information after the user has denied the app the right to gather location data. Other apps inferred location information by gathering the MAC address of Wi-Fi routers the device was connected to rather than directly polling for location information.

"Apps capturing and using data in unintended ways is not new and has been a problem since the first smartphone app was introduced," says Chris Morales, head of security analytics at Vectra. "The smartphone market moved so quickly, the goal of the OS manufacturer was to ensure they had a large enough volume of apps to be relevant in the market. Security was not a primary driver and we find the OS manufacturers now having to clean up the after effects of fast growth in the app store."

According to Google, that cleanup will extend into the next major Android release. While researchers notified the company of the privacy issue in September, Google has said that it won't address the "side-channel" information gathering until the release of Android Q, scheduled for October 2019.

Until Android Q is available, those using Android phone will simply have to be careful about the apps they install, even when those apps are downloaded from Google Play. Terence Jackson, CISO at Thycotic says, "Data privacy is all the rage now, GDPR, CCPA, LGPD, just to name a few. But this story highlights the importance of app store owners to implement a more Zero Trust model toward their developers and implement ongoing strategies to evaluate application security."

Related content:

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...