A new study shows that denying apps permission to access your data on Android may not be doing much to protect your privacy.
Researchers recently found that more than 1,300 apps on the Google Play store secretly collected data such as geolocations and device identifiers — even after they were denied app permissions.
The study, which was published
Those 1,325 apps used secret workarounds hidden within their code to harvest personal data from sources like photo metadata and Wi-Fi connections, CNET reported.
There were some popular apps among those, too. For example, researchers found that Shutterfly, a photo-editing platform, was gathering GPS coordinates from user photos and uploading that data to its own servers. That was the case even after users denied the app permission to access location data.
Shutterfly, for its part, maintained that it only collected data with explicit user consent — despite what the study found. It also added that it used that data to “enhance the user experience.”
Researchers also found that some apps were piggybacking off of permissions granted to other apps on a user’s device. If a user let one app access data on an SD card, for example, another app without that permission could still read its contents.
Only 13 apps actually used this workaround, but they were installed more than 17 million times.
Other apps sought to gather sensitive identifiable information, such as a smartphone’s IMEI number or a router’s MAC address.
While the researchers first presented the study at the FTC PrivacyCon last month, there currently isn’t a full list of the offending apps. According to CNET, the researchers will be releasing details about all 1,325 apps later this year at the Usenix Security conference.
Google has apparently been notified about the security and privacy lapses, and the Mountain View company said it would fix the issue in Android Q. But although that software update is due to launch later this year, it’ll probably be quite a while before most Android users can install it on their devices.