Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Android App Publishers Won't Take 'No' for an Answer on Personal Data

Researchers find more than 1,000 apps in the Google Play store that gather personal data even when the user has denied permission.

App publishers like consumer data so much that they're willing to go to great lengths to get it — even when those lengths involve ignoring or working around the consumer denying them the right to that data.

At the Federal Trade Commission's PrivacyCon 2019, held in June, researchers from the International Computer Science Institute (ICSI) presented data showing that as many as 1,325 Android apps were gathering data from devices, even after the device owners had denied such permission to the apps.

The data presented at the conference is based on earlier work the researchers presented at the Usenix Security Symposium in February. In that paper, titled "50 Ways to Leak Your Data," the team of researchers from UC Berkeley, AppCensus, and Universidad Carlos III de Madrid examined more than 88,000 Android apps to see how they captured, used, and stored customer data. They found that Android apps employ a number of techniques for gathering data that the user may believe is private.

As an example, the researchers pointed to photography apps that scrape the GPS data from photographs to obtain location information after the user has denied the app the right to gather location data. Other apps inferred location information by gathering the MAC address of Wi-Fi routers the device was connected to rather than directly polling for location information.

"Apps capturing and using data in unintended ways is not new and has been a problem since the first smartphone app was introduced," says Chris Morales, head of security analytics at Vectra. "The smartphone market moved so quickly, the goal of the OS manufacturer was to ensure they had a large enough volume of apps to be relevant in the market. Security was not a primary driver and we find the OS manufacturers now having to clean up the after effects of fast growth in the app store."

According to Google, that cleanup will extend into the next major Android release. While researchers notified the company of the privacy issue in September, Google has said that it won't address the "side-channel" information gathering until the release of Android Q, scheduled for October 2019.

Until Android Q is available, those using Android phone will simply have to be careful about the apps they install, even when those apps are downloaded from Google Play. Terence Jackson, CISO at Thycotic says, "Data privacy is all the rage now, GDPR, CCPA, LGPD, just to name a few. But this story highlights the importance of app store owners to implement a more Zero Trust model toward their developers and implement ongoing strategies to evaluate application security."

Related content:

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...