Back in December Google CEO Sundar Pichai conceded during a session with members of Congress that the company could “do better” when it comes to helping users understand what steps to take to better protect their privacy. Unfortunately, it seems the company could also do a lot better when it comes to just, you know, actually protecting that privacy.
The latest example of how that’s the case comes via a study presented by researchers at PrivacyCon 2019. It found that thousands of Android apps are potentially abusing the mobile operating system’s permissions to collect data and potentially reveal critical information about the user, including his or her location.
Particularly egregious, according to the researchers, is the fact that if you deny one of the apps permission to obtain data that could potentially identify you, another app that you did give permission to could share the data with the other app. Said another way, to borrow an analogy used by The Verge today to describe the situation, it’s like a child asking one parent for sweets, getting told “no,” and then going to ask the other parent who ends up giving it to them. According to the researchers, this kind of thing is possible when apps have been built with the same SDKs.
Additionally, the researchers found vulnerabilities including some that can send data like your wireless access point and the unique MAC address of your router “back home.” Said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute when presenting the team’s findings, “It’s pretty well-known now (that data is) a pretty good surrogate for location data.”
Apps from companies like Samsung, using SDKs built by analytics firm Salmonads as well as China’s Baidu, are called out in the study. Two Samsung apps mentioned include Samsung’s Health and Browser apps, both with more than half a billion installs. Likewise, the study puts two apps from Disney in this same bucket, the two apps being one each for Disney’s Hong Kong and Shanghai theme parks. The Baidu SDK, the researchers note, is able to circumvent Android’s permission system and access the device’s IMEI — a unique 15- to 17-digit number unique to everyone’s handset.
“We also discovered that third-party libraries provided by two Chinese companies — Baidu and Salmonads — independently make use of the SD card as a covert channel, so that when an app can read the phone’s IMEI, it stores it for other apps that cannot,” the researchers note at one point in the study. “We found 159 apps with the potential to exploit this covert channel and empirically found 13 apps doing so.”
Another app the study calls out is the photo app Shutterfly for sending GPS coordinates to the company’s servers without asking the user for permission. That’s done by using photo metadata, though it’s important to point out Shutterfly has issued a statement to CNET denying that it tracks users without their permission.
The researchers say they’ve told Google about their findings, and fixes for some of it will come with Android Q. Unfortunately, Egelman uses Pichai’s recent comment in a New York Times piece (that “privacy should not be a luxury good”) against him, noting that the fixes to these issues that will come with Android Q, which won’t help owners of older handsets that don’t get the update.
Google told The Verge that, among the steps it’s taking along these lines, going forward with Android Q it will hide geolocation data from photo apps by default.