A 3D printed Android logo is seen in front of a displayed cyber code in this illustration taken March 22, 2016.
PHOTO: REUTERS
Simply selecting “no” when an app asks for access to your personal information may not be enough to stop it. Another app that you have allowed access to could share this information with the other one or it could add your information to a shared storage system where other apps, maybe even malicious ones, can view it.
The apps are built with the same software development kits (SDK), which allows them to share data even if they don’t appear to be linked to each other. There is also proof that the SDK possessors are able to view the information.
Such apps include ones from the likes of Samsung and Disney which have been downloaded countless times as shown in a study at PrivacyCon2019. The SDKs incorporated in these apps have been created by Chinese search giant Baidu and an analytics organization, Salmonds, which have the ability to share your information between apps and servers. This is done by first storing the data locally on your phone. According to researchers, apps using the Baidu SDK might be trying to get a hand on this data under the table for personal use.
Google might finally deliver an AirDrop version for Android
They also discovered various side channel vulnerabilities, some of which are able to access and send home data including the unique MAC addresses of your networking chip and router, wireless access point and its SSID. “It’s pretty well-known now that’s a pretty good surrogate for location data,” commented Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.
The research also mentions that Shutterfly, a photo app, sends your GPS coordinates back home by extracting them from your photos’ EXIF metadata even if you haven’t given it permission to track your location. The company denied this claim in a statement to CNET.
The researchers, who notified Google about these problems last September, say that some of them may be fixed in the Android Q. However, the problems will still exist in many current-generation Android phones that won’t receive the updates. (As of May, only 10.4 per cent of Android devices had the new Android P update installed, and over 60 per cent still had the nearly three-year-old Android N.)
Limited control over privacy breaches by pre-installed Android apps
In the meantime, the researchers suggest that Google roll out fixes within security updates to ensure that most Android users receive protection. “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here,” said Egelman.
Though Google declined to comment on the specific vulnerabilities, it told The Verge that Android Q will hide geolocation info from photo apps by default, and these apps will have to let the Play Store know if they have the ability to access location metadata.
This article originally appeared on The Verge.
1714819959-0/Untitled-design-(21)1714819959-0-270x192.webp)
COMMENTS
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ