More Than 1,000 Android Apps Steal Your Data Without Permission

Google's Android apps displayed on an Android smartphone.
(Image credit: ymgerman/Shutterstock)

When an Android app asks to access your location data, and you deny it permission, does the app follow the rules? Maybe not.

More than 1,000 Android apps routinely sneak past Google's restrictions and collect your location data and phone information even when you've explicitly denied the apps permission, an academic study has found.

Among the offenders are the Shutterfly app, which collected location data without user permission, and the app for Hong Kong Disneyland, which accessed phone IDs that other apps had stored unprotected on a phone's SD card, although Disney itself may not have been aware of the practice.

"The number of potential users impacted by these findings is in the hundreds of millions," the study concludes. "These deceptive practices allow developers to access users' private data without consent, undermining user privacy and giving rise to both legal and ethical concerns."

This kind of sneakiness will be harder for apps to pull off in Android 10 Q, due later this summer. But until then, you won't be able to trust that apps are following the rules that you and Google lay down. 

Until then, go through your app settings and turn off location and ID permissions for apps that shouldn't need them, and delete any apps you don't regularly use.

"Apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels," explains the study, titled "50 Ways to Leak Your Data" and available online. "Both pose threats to user privacy."

Side channels let apps evade the Android permission model; covert channels are used when apps that are allowed to access user data share it, intentionally or not, with apps that aren't meant to have access.

After studying more than 88,000 Android apps, the researchers found a total of 1,325 apps that used at least one of these methods to grab user data they weren't entitled to.

Some apps secretly collected location data in the form of GPS coordinates, but also collected the MAC addresses of Wi-Fi network base stations, which told the apps where the phones were. MAC addresses are unique network-interface identifiers, and public lists of known Wi-Fi hotspot MAC addresses exist.

Apps also got unauthorized access to user email addresses, Wi-Fi network names, phone numbers and handset and SIM-card unique IDs. The apps are probably using all this data to command higher prices for ads, as marketers want to know where you are. But the data can also be used to track ind

The Shutterfly app used the EXIF metadata recorded by camera apps and embedded in photos to determine where a photo had been taken, even if the user had denied Shutterfly access to location data.

Shutterfly could plausibly be accessing that data for innocent reasons, the research paper said. But it also noted that "cases where an app contains both code to access the data through the permission system and code that implements an evasion do not easily admit an innocent explanation."

For example, two Chinese companies, Baidu and Salmonads, made sure that their apps regularly wrote sensitive data to a phone's SD card so that other apps made by the same companies could read it, whether or not the user had granted the other apps permission to have that data.

Salmonads is an advertising-technology firm, as you'd probably guess. But Baidu is one of the biggest internet companies in the world, dominating the Chinese search-engine market and also offering social-networking and advertising platforms. It is as ubiquitous in China as Google, Facebook and Amazon are in the U.S.

Baidu's mapping service, similar to Google Maps, is used by Disney's Hong Kong Disneyland app to guide visitors around the park. The mapping service would take a phone's device ID and write it to the phone's SD card so that other Baidu apps could read it -- and so could any app that knew where to look.

The researchers found that Baidu Maps did the same thing with the apps for Disney's Shanghai Disneyland and for Samsung's Health app and Android browser. 

Chinese companies weren't the only flagrant violators. The Unity game engine, developed by San Francisco-based Unity Technologies and uses by dozens of Android games, was found by the researchers to be sending phones' MAC addresses to Unity's servers, whether or not a game had permission to do so.

Overall, the report hints, the United States may have to completely overhaul the way it governs software behavior.

"In the U.S., privacy practices are governed by the 'notice and consent' framework," the authors note. " That apps can and do circumvent the notice and consent framework is further evidence of the framework's failure."

The study was conducted by researchers from the University of California, Berkeley, the International Computer Science Institute in Berkeley, the IMDEA Networks Institute in Spain and the University of Calgary. Three of the six researchers also work for AppCensus, a for-profit company that examines the privacy behaviors of smartphone apps.

The paper was released in conjunction with the Federal Trade Commission's PrivacyCon conference in Washington, D.C.  on June 27.

The findings were disclosed to both Google, which has the power to kick apps violating of its Terms of Service out of the Google Play store, and the Federal Trade Commission, which has the power to fine companies that blatantly violate user privacy.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.