STREAMING NOW: Watch Now

Android apps are harvesting your data even after you tell them not to, says study

When you deny a mobile app permission to collect personal data from your phone, it's reasonable to expect it abides by that. But...

Posted: Jul 10, 2019 8:21 AM
Updated: Jul 10, 2019 1:15 PM

When you deny a mobile app permission to collect personal data from your phone, it's reasonable to expect it abides by that. But a new study of popular Android apps found that's not always the case.

Thousands of popular apps from the Google Play Store are able to bypass permissions to collect user data, according to the nonprofit research center International Computer Science Institute, which partners with University of California, Berkeley. The apps work around restrictions by finding 'side channels' or 'covert channels' such as taking data from apps that do have those permissions, potentially affecting hundreds of millions of Android users.

Researchers found roughly 60 Android apps, which have been downloaded millions of times, are already doing this. Many others are built with code that could allow them to do the same.

The study also points out that Android permissions make it difficult to track how an app will share the information and under what circumstances, even when users do agree to share data.

'These deceptive practices allow developers to access users' private data without consent, undermining user privacy and giving rise to both legal and ethical concerns,' the researchers wrote.

The researchers contacted Google about what they found, and the company paid them a bug bounty. Google says the issues will be addressed in the next big Android update, called Android Q, that is expected later this year.

The study was sponsored by the US National Security Agency's Science of Security program, the Department of Homeland Security and the National Science Foundation, among others, and was presented at the Federal Trade Commission's PrivacyCon event last week.

Researchers downloaded and analyzed the most popular apps in each category of the Google Play Store, 88,000 in total.

In some cases, apps with permission to access information like location data stored it on the phone's SD card, where apps without proper permissions could access it.

In other cases, users may have technically given the app access to the data without understanding exactly what they were agreeing to. For example, photos often include metadata such as the time and location where they were taken, meaning an app could view a user's location even if it didn't have permission.

'We note that these exploits may not necessarily be malicious and intentional,' the researchers wrote.

Google says photo location information will be hidden by default from apps that request photos on Android Q, unless developers specify on the Google Play Store whether their app is capable of accessing a photo's location. The update will also require apps that gather wifi access point information (which researchers say is de facto location data) to have location permissions. Apple also recently announced it was cracking down on apps using wifi and Bluetooth connections to gather location data in its next iOS update.

The study reinforces concerns over the ways Big Tech companies manage and protect (or fall short of protecting) user privacy. Google CEO Sundar Pichai said at a December Congressional hearing that the company does collect a large amount of user data and offers tools for users to determine how much of their information they allow Google and applications on the Android operating system to collect. However, he has conceded that the company could be doing more.

'I don't think users have a good sense for how their data is being used, I think we've put the burden on users to a large extent,' Pichai told CNN's Poppy Harlow last month. 'I think we need a better framework where users get that comfort that they are in control of their data, how it's used.'

Oregon Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 10395

Reported Deaths: 215
CountyConfirmedDeaths
Multnomah252969
Marion166148
Washington162020
Clackamas86125
Umatilla7726
Union3561
Lincoln3464
Lane2283
Deschutes2210
Malheur2161
Polk16012
Linn1579
Jackson1520
Yamhill1398
Jefferson1340
Klamath1301
Morrow1071
Benton955
Hood River940
Wasco941
Josephine561
Clatsop540
Douglas510
Columbia420
Coos420
Lake210
Tillamook150
Crook130
Wallowa100
Curry80
Baker50
Sherman30
Gilliam10
Grant10
Harney10
Unassigned00
Wheeler00

California Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 271035

Reported Deaths: 6441
CountyConfirmedDeaths
Los Angeles1165703534
Riverside20555486
Orange17882366
San Diego16726387
San Bernardino15345269
Imperial7190117
Alameda6855140
Fresno611077
Santa Clara5408164
Kern536982
Tulare5009136
San Joaquin447455
Sacramento423669
San Francisco399250
Contra Costa387885
Ventura378950
San Mateo3599108
Santa Barbara326129
Marin280921
Kings267333
Stanislaus266045
Monterey215115
Solano147625
Sonoma135911
Merced127211
Placer91111
San Luis Obispo7652
Yolo67726
Madera5785
Santa Cruz4593
Napa4364
San Benito2732
Sutter2523
Lassen2420
El Dorado2260
Butte2063
Shasta1544
Humboldt1444
Nevada1291
Yuba1282
Glenn1220
Lake961
Tehama881
Mendocino850
Colusa700
Del Norte581
Calaveras530
Mono471
Tuolumne430
Amador330
Inyo331
Siskiyou320
Mariposa311
Plumas110
Alpine20
Trinity20
Sierra10
Unassigned00
Medford
Clear
61° wxIcon
Hi: 80° Lo: 52°
Feels Like: 61°
Brookings
Clear
55° wxIcon
Hi: 70° Lo: 54°
Feels Like: 55°
Crater Lake
Clear
49° wxIcon
Hi: 71° Lo: 40°
Feels Like: 49°
Grants Pass
Clear
61° wxIcon
Hi: 79° Lo: 52°
Feels Like: 61°
Klamath Falls
Clear
49° wxIcon
Hi: 75° Lo: 38°
Feels Like: 49°
Warming up the rest of the week
KDRV Radar
KDRV Fire Danger
KDRV Weather Cam

Community Events