Android Apps Can Track You Even If You Deny Permissions! How to Prevent Them From Spying You


Researchers say that thousands of apps have found ways to cheat Android’s permissions system, phoning home your device’s unique identifier and enough data to potentially reveal your location as well.

Even if you say “no” to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it.

The two apps might not seem related, but researchers say that because they’re built using the same software development kits (SDK), they can access that data, and there’s evidence that the SDK owners are receiving it. It’s like a kid asking for dessert who gets told “no” by one parent, so they ask the other parent.

According to a study presented at PrivacyCon 2019, we’re talking about apps from the likes of Samsung and Disney that have been downloaded hundreds of millions of times. They use SDKs built by Chinese search giant Baidu and an analytics firm called Salmonads that could pass your data from one app to another (and to their servers) by storing it locally on your phone first. Researchers saw that some apps using the Baidu SDK may be attempting to quietly obtain this data for their own use.

That’s in addition to a number of side channel vulnerabilities the team found, some of which can send home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and more. “It’s pretty well-known now that’s a pretty good surrogate for location data,” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.

The study also singles out photo app Shutterfly for sending actual GPS coordinates back to its servers without getting permission to track locations — by harvesting that data from your photos’ EXIF metadata — though the company denied that it gathers that data without permission in a statement to CNET.

There are fixes coming for some of these issues in Android Q, according to the researchers, who say they notified Google about the vulnerabilities last September. (They point to this official Google page.) Yet, that may not help the many current-generation Android phones that won’t get the Android Q update. (As of May, only 10.4 percent of Android devices had the latest Android P installed, and over 60 percent were still running on the nearly three-year-old Android N.)

The researchers think that Google should do more, possibly rolling out hotfixes within security updates in the meantime because it shouldn’t just be newer phone buyers who get protection. “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here,” said Egelman.

Google declined to comment on the specific vulnerabilities, but it confirmed to The Verge that Android Q will hide geolocation info from photo apps by default, and it will require photo apps to tell the Play Store whether they’re capable of accessing location metadata.


Enable or disable app permissions one by one
If you install an app with all permissions disabled, you can still turn on the ones you want individually in the settings.

1. Go to your Android phone’s Settings app.

2. Tap on Apps or Application Manager.

3. Select the app that you want to change by tapping Permissions.

4. From here, you can choose which permissions to turn on and off, like your microphone and camera.

Scan for viruses and other flaws
Google Play Protect scans all of your apps to identify any that are potentially dangerous. Even the most trusted apps can develop flaws that hackers can exploit, so it’s a good idea to scan the apps on your phone periodically to ensure your apps are safe.

1. Go to your Android phone’s Settings app.

2. Tap Security.

3. Select Google Play Protect. From here, you’ll see all of the apps that have been scanned and if any are suspect. If so, you’ll want to take steps to immediately stop using those apps and get them off your phone.

Turn off your location settings
A large amount of tracking comes from your location settings, so it’s best to turn this setting off.

1. Go to your Android phone’s Settings app.

2. Tap Location.

3. Select Google Location Settings.

4. Slide the toggle switch off for Location Reporting and Location History.

5. You can go a step further by deleting all of your location history.

6. If you need location enabled, you can manually toggle it on, and turn it off again when you’re done.

Turn off location data in your photos
1. Go to your Android phone’s Photos app.

2. Tap the menu and select Settings.

3. Tap Remove geo location.

4. You can also turn off an individual photo’s location in the Photos app by opening the photo, clicking the three stacked dots, select Info and choose No location. (Or go into a submenu beneath the map and click Remove Location.)

credits: CNET, TheVerge

Visit our website

Follow us on: