Select Page

Smartphones are a goldmine of sensitive data, and modern apps work as diggers that continuously collect every possible information from your devices.

The security model of modern mobile operating systems, like Android and iOS, is primarily based on permissions that explicitly define which sensitive services, device capabilities, or user information an app can access, allowing users decide what apps can access.

However, new findings by a team of researchers at the International Computer Science Institute in California revealed that mobile app developers are using shady techniques to harvest users’ data even after they deny permissions.

In their talk “50 Ways to Pour Your Data” [PDF] at PrivacyCon hosted by the Federal Trade Commission last Thursday, researchers presented their findings that outline how more than 1,300 Android apps are collecting users’ precise geolocation data and phone identifiers even when they’ve explicitly denied the required permissions.

“Apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels,” the researchers wrote.

“These channels occur when there is an alternate means to access the protected resource that is not audited by the security mechanism, thus leaving the resource unprotected.”

Researchers studied more than 88,000 apps from the Google Play store, 1,325 of which were found violating permission systems within the Android operating system by using hidden workarounds that allow them to look for users’ personal data from sources like metadata stored in photos and Wi-Fi connections.

Location Data — For instance, researchers found a photo-editing app, called Shutterfly, that collects location data of a device by extracting GPS coordinates from the metadata of photos, as a side-channel, even when users declined to grant the app permission to access location data.

“We observed that the Shutterfly app (com.shutterfly) sends precise geolocation data to its own server ( without holding location permission.”

Moreover, it should be noted that if an app can access the user’s location, then all third-party services embedded in that app can also access it.

images from Hacker News