Here is how applications access data without your consent

Here is how applications access data without your consent

Researchers at the International Computer Science Institute (ICSI) are discovering vulnerabilities that allow applications to obtain certain information from your smartphone even if you refuse to provide it. New security measures are already planned on Android Q.

On Android as on iOS, when an application wants to access certain information on your mobile, such as geolocation, it must first ask you for permission. And from an ergonomic point of view, Google and Apple have made these permission requests clearer for users.

But obviously, on Android, even when you deny access to an application, it is still possible that it bypasses the mechanism in order to access certain data.

This is what researchers at the International Computer Science Institute (ICSI) are discovering, having tested and analyzed the behavior of more than 88,000 Android applications, among the most popular on the Play Store. And their conclusion is that more than a thousand third-party applications or libraries are able to collect data that has not been authorized by the user, bypassing the mechanism imposed by Google on Android. The data concerned include unique identifiers such as MAC addresses or the device’s IMEI, as well as geolocation data.

Bypassing Google’s policies

Two techniques for collecting this data are highlighted. One, the side channel, exploits information that is not covered by the operating system’s security mechanisms. The other, the “covert channel”, involves sharing information between two applications.

For example, the study refers to two Chinese third party libraries (Baidu and Salmonads) that used a covert channel. The researchers state that if an application using the library was able to obtain the IMEI from the phone, this information is stored by the library. Then, it can be read by other applications using the same library, without asking permission.

The document published by the International Computer Science Institute (ICSI) also cites the example of the Shutterfy photo editing application which, even without Android’s permission mechanism to use GPS, can collect geolocation information. How is that possible? By using the EXIF of the photos. “Although this application may not intend to bypass the authorization system, this technique can be used by a malicious actor to access the user’s location. Each time a new photo is taken by the user with geolocation enabled, any application with read access to the photo library (i.e. READ_EXTERNAL_STORAGE) can know the user’s exact location when the photo was taken,” the study states. In its defense, Shutterfy stated in a statement relayed by Cnet: “Like many photo services, Shutterfly uses this data to improve the user experience with features such as categorization and custom product suggestions, all in accordance with Shutterfly’s privacy policy and the Android developer agreement. ยป

The results of the study have already been shared with Google and the FTC (US regulator). And in addition to rewarding researchers with a bonus, Google is already working on a way to block these new ways of accessing user data. Unfortunately, these features are announced for Android Q. And we know that for the majority of Android users, the most recent version of the OS will take a long time to arrive after its official release.