Android Apps Can Bypass Permissions To Collect User Data, Researchers Said

Android is the most popular mobile operating system because of many reasons. And with that many reasons too, it's also the most exploited mobile OS.

For users using Android, they know that apps need to request their permission to do something. When users deny such requests, it's reasonable to expect the app abides by that.

But according to researchers, that is not always the case.

Thousands of popular apps from the Google Play Store are able to bypass permissions to collect user data, according to the nonprofit research center International Computer Science Institute, which partners with University of California, Berkeley.

This is possible as those apps have a workaround to avoid the restrictions users put on them, by finding "side channels" or "covert channels".

In other words, Android apps that are restricted from certain permissions, can take the data they asked users for, from other apps that were granted permissions.

In some other cases, apps with permission to access information like location data, store the data on the phone's SD card. This makes other apps without proper permissions able to access it. Then there are apps that take photos in including metadata such as the time and location where they were taken. These apps could view users' location even if they didn't have permission.

Android - covert channel
Covert channel: A security mechanism allows app1 access to resources but denies app2 access; this is circumvented by app2 using app1 as a facade to obtain access over a communication channel not monitored by the security mechanism.

To come into the conclusion, the researchers downloaded and installed, and analyzed 88,0000 most popular apps in Google's Play Store.

While Android do have a sophisticated permissions settings that allow users to manually grant or deny each permissions individually, the study points out that this settings can actually can make things difficult for users to track how installed apps share information, and under what circumstances.

"These deceptive practices allow developers to access users' private data without consent, undermining user privacy and giving rise to both legal and ethical concerns," the researchers wrote.

This flaw potentially affects hundreds of millions of Android users.

The researchers contacted Google about the discovery. Google replied that the company is addressing the issue, but on the next major Android update, called the Android Q, expected to be released later this 2019.

According to Google, Android Q will hide photo location information from apps that request photos, unless their developers clearly specify their app is capable of accessing a photo's location.

The major version of Android will also require apps that gather Wi-Fi access point information to have location permissions as well.

Android - side channel
Side channel: a security mechanism denies app1 access to resources; this is circumvented by accessing the resources through a side channel that bypasses the security mechanism

The research titled 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System shows how sophisticated mobile operating systems have become, and raises even more questions about how Google manages to protect user privacy.

For future works, the researchers suggested that:

"Regulators and platform providers need better tools to monitor app behaviour and hold app developers accountable by ensuring apps comply with applicable laws, namely by protecting users’ privacy and respecting their data collection choices."

"Society should support more mechanisms, technical and other, that empower users’ informed decision-making with greater transparency into what apps are doing on their devices."

CEO Sundar Pichai once said that Google does collect a large amount of user data, and offers tools for users to determine how much of their information they allow Google and apps on the Android to collect.

However, he has conceded that the company could be doing more.

"I don't think users have a good sense for how their data is being used, I think we've put the burden on users to a large extent," Pichai said. "I think we need a better framework where users get that comfort that they are in control of their data, how it's used."