The Android authorization model is intended to protect particularly sensitive data. For example, when the user grants permission to an app, they can access the location or device ID. But some applications bypass privileges by accessing the data in other ways. This was discovered by researchers from Berkeley University (USA), the IMDEA Networks Institute (Spain) and the University of Calgary (Canada) ( PDF ).
The researchers examined 88,000 apps that come from the US version of the Google Play Store. In a sealed environment, the researchers checked what data the apps accessed and what information they wanted to send to the manufacturer or tracking services. In total, the researchers discovered 1,325 programs that could gain access to data without proper authorization. The researchers want to publish the names of all apps in a presentation at the Usenix conference.
Around 70 apps used various tricks to get to the device without authorization. For example, the location may be read from a recent photo, provided the camera app stores the GPS coordinates in the metadata of the image. Although this trick can not constantly determine the current location, the location history can be read from older images. In this way, among other things, the image editing app Shutterfly collects the geodata.
Apps exchange data via the device memory
South Korea’s Salmonads analysis and monetization service takes a different approach: if an app using the service has permission to read the IMEI, promotional ID or MAC address, that information is stored in a file on the SD card. Through this file, other programs in which Salmonads is integrated, the information read without the appropriate permissions. You only need permission to access the SD card. Salmonads can use the unique data to assign the various apps to a device and thus to a user.
Even applications that integrate services of the Chinese search engine Baidu, put the IMEI and the Android ID in the device memory or read it there. The researchers discovered 153 apps that made use of the system, including applications from Disney, as well as a browser and a health app from Samsung. The latter were each installed on 500 million devices.
Also for accessing information about the WLANs used, the apps under Android need a corresponding authorization. The MAC address of the router, however, can also be read out via the unprotected ARP table (Address Resolution Protocol). It lists historically the MAC addresses and their associated IP addresses that have been communicated on different networks. In addition to MAC addresses can be found on the location of the router used and an approximate location of the smartphone. The researchers discovered a number of apps that collected information via this page channel. They already reported their findings to Google in September 2018.
Frequently, the data obtained serve to identify or generate a unique feature and thus to recognize the smartphone and the user. This is also possible via the calibration data of the smartphone sensors.
“Basically, consumers have very few tools and ways to protect their privacy,” said Serge Egelman, one of the authors of the study, at their presentation. “If app developers can easily bypass the system, it’s pretty useless to ask consumers for permission.”