Permissions in Android applications are intended to be guardians of the information provided by your phone. If you do not want a flashlight application to have the ability to check your call log, you must have the prerogative to deny access. But even when you say no, many apps find a way around: researchers found that more than 1,000 applications bypassed the restrictions, allowing the subtraction of information as an exact geographical location, as well as phone identifiers, behind your back.
The discovery highlights how difficult it is to maintain privacy online, particularly if it has to do with your phone or mobile applications. Technology companies have mountains of personal information from millions of people, including where they have been, who their friends are and what their interests are.
Lawmakers are trying to contain that with privacy legislation and application permissions are supposedly to control the information you give.Y they have launched new tools to improve user privacy, but applications still find .
Researchers at the International Institute of Computational Sciences (ICSI) discovered up to 1,325 Android applications that collect information on the devices where they are even after users explicitly denied them permits. Serge Egelman, director of usable security and privacy research at ICSI, presented the study at the end of June at the privacy conference of the United States Federal Trade Commission.
"Fundamentally, consumers have very few tools and signs that they can use to reasonably control their privacy and make decisions about it," Egelman said at the conference. "If app developers can go around the system, then asking consumers for permissions is relatively nonsense."
Android 10: The most important news
Egelman said investigators notified Google about these problems last September, as did the Federal Trade Commission. Google said to mitigate those issues with, the operating system whose official version is expected this year.
The update addresses the problem by hiding photo location information from applications and requiring any app that uses Wi-Fi that needs a permit to access location information, according to Google.
The study looked at more than 88,000 apps in the Google Play store, tracking how they transfer app information when permissions were denied. The 1,325 apps that broke the permits on Android used hidden tools in their code to obtain personal information that could be taken from sources such as Wi-Fi connections and the metadata stored in the photographs.
The researchers found that Shutterfly, a photo editing application, has collected GPS coordinate information from the photographs and sent them to their servers, even when users declined to grant the application permission to access their location.
Fundamentally, consumers have very few tools and signs that they can use to reasonably control their privacy and make decisions about it. "
Serge Egelman, director at the International Institute of Computational Sciences
A spokeswoman for Shutterfly said the company only collected location information with the user's explicit permission, despite the evidence found by the researchers.
"Like many photo services, Shutterfly uses this information to improve the user experience with features such as product suggestions with categorization and customization, all in accordance with Shutterfly's privacy policies as well as with the Android developer agreement," he said. the company through a statement.
Some applications depend on other applications that have the permission to view personal information, being computerized permissions granted to a third party such as caller IDs. These apps will be able to read through unprotected files on the SD card of a device and collect the information to which they had denied permission. So, if you allowed another application to have access to your personal information and they kept it in a file on the SD card, the Spanish applications could enter and take that information.
While there were only about 13 apps doing this, they were installed more than 17 million times, according to the researchers. This includes applications such as Baidu, the app of the Disneyland Park in Hong Kong, the researchers said.
Baidu and Disney have not responded to a request for comment.
There are 153 apps that have that capability, they discovered in the investigation, including Samsung's health and navigation applications, which are installed on more than 500 million devices.
Samsung has not responded to a request for comment so far.
Other applications collected location information when connecting to a Wi-Fi network and deciphering the MAC address of the router. They discovered this in applications that worked as smart remote controls, which don't need your location information to operate.
Egelman said he would release the details with a list of the 1,325 researchers discovered when he presented the study at the Usenix Security conference in August.
Editor's Note:This article was originally published on July 8, 2019.