Permissions on Android apps are supposed to determine how much data you give up. If you don’t want an app to listen to your conversation, then you do not allow access to your smartphone’s microphone to the app, and that’s how it should be. However, researchers have found that there are up to 1,325 apps on Google Play that harvest your personal data despite you explicitly denying them permission.
Researchers at the International Computer Science Institute (ICSI) found that thousands of app on the Android app store manage to skirt restrictions and gather precise geolocation data and phone identifiers, without user consent.
The study looked at over 88,000 apps on Google Play and tracked how data was transferred from the app when a user denied permissions. Of these, they found 1,325 apps that violated the permission policy and relied on workarounds to retrieve user data without their knowledge.
These apps were taking personal data from sources like Wi-Fi connections and metadata stored in photos.
Reportedly, a photo-editing app, Shutterfly, was found to be gathering GPS coordinates from photos and sending that data to its own servers, even when users declined to give the app permission to access location data. In a statement to CNET, however, Shutterfly denied the researchers’ claims.
There were also apps that were relying on other apps that were granted permission to look at personal data like your IMEI number.
These apps were apparently getting the information via unprotected files on a device’s SD card and collected data that the user originally denied to them.
This basically means, if you grant access to some data to app A, and the said app stores this data on your SD card, then app B, even though you declined access, can still spy and take private information. The tactics used to overcome app restrictions are amusing at times.
The researchers apparently notified Google about these issues last September. Google said it would be addressing the issues in Android Q, which is expected to release this year.