model of modern mobile operating systems, like Android and iOS, is primarily based on permissions that explicitly define which sensitive services, device capabilities, or user information an app can access, allowing users decide what apps can access.
However, new findings by a team of researchers at the International Computer Science Institute in California revealed that mobile app developers are using shady techniques to harvest users' data even after they deny permissions.
In their talk "50 Ways to Pour Your Data" [PDF] at PrivacyCon hosted by the Federal Trade Commission last Thursday, researchers presented their findings that outline how more than 1,300 Android apps are collecting users' precise geolocation data and phone identifiers even when they've explicitly denied the required permissions.
"Apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels," the researchers wrote.
"These channels occur when there is an alternate means to access the protected resource that is not audited by the security mechanism, thus leaving the resource unprotected."
Researchers studied more than 88,000 apps from the Google Play store, 1,325 of which were found violating permission systems within the Android operating system by using hidden workarounds that allow them to look for users' personal data from sources like metadata stored in photos and Wi-Fi connections.
Location Data — For instance, researchers found a photo-editing app, called Shutterfly, that collects location data of a device by extracting GPS coordinates from the metadata of photos, as a side-channel, even when users declined to grant the app permission to access location data.
"We observed that the Shutterfly app (com.shutterfly) sends precise geolocation data to its own server (apcmobile.thislife.com) without holding location permission."
Moreover, it should be noted that if an app can access the user's location, then all third-party services embedded in that app can also access it.
Phone Identifier — Besides this, researchers found 13 other apps with more than 17 million installations that are accessing phone's IMEI, a persistent phone identifier, stored unprotected on a phone's SD card by other apps.
"Android protects access to the phone's IMEI with the READ_PHONE_STATE permission. We identified two third party online services that use different covert channels to access the IMEI when the app does not have the permission required to access the IMEI."
According to researchers, third-party libraries provided by two Chinese companies, Baidu and Salmonads are also using this technique as a covert channel to gather data they otherwise didn't have permission to access.
Mac Address — Other apps were found using the MAC address of the Wi-Fi access point to figure out the user's location. Apps that function as smart remote controls, which otherwise do not need location information to function, were found collecting location data in this way.
"We discovered companies getting the MAC addresses of the connected Wi-Fi base stations from the ARP cache. This can be used as a surrogate for location data. We found 5 apps exploiting this vulnerability and 5 with the pertinent code to do so," researchers wrote.
"Additionally, knowing the MAC address of a router allows one to link different devices that share Internet access, which may reveal personal relations by their respective owners, or enable cross-device tracking."
In their study, researchers successfully tested these apps on an instrumented versions of Android Marshmallow and Android Pie.
Researchers reported their findings to Google last September, and the company paid his team a bug bounty for responsibly disclosing the issues, but unfortunately, the fixes will be rolled out with the release of Android Q, which is due later this summer.
The Android Q update will address the issues by hiding location data in photos from third-party apps as well as making it mandatory for apps that access Wi-Fi to have permission to access location data.
Until then, users are advised not to trust third-party apps and turn off location and ID permission settings for apps that do not actually need them in order to function. Also, uninstall any app you don't regularly use.