Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Privacy Technology

More Than 1,000 Android Apps Harvest Data Even After You Deny Permissions (cnet.com) 85

An anonymous reader shares a report: Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don't want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered more than 1,000 apps that skirted restrictions, allowing them to gather precise geolocation data and phone identifiers behind your back. The discovery highlights how difficult it is to stay private online, particularly if you're attached to your phones and mobile apps. Tech companies have mountains of personal data on millions of people, including where they've been, who they're friends with and what they're interested in.

Lawmakers are attempting to reel that in with privacy regulation, and app permissions are supposed to control what data you give up. Apple and Google have released new features to improve people's privacy, but apps continue to find hidden ways to get around these protections. Researchers from the International Computer Science Institute found up to 1,325 Android apps that were gathering data from devices even after people explicitly denied them permission. Serge Egelman, director of usable security and privacy research at the ICSI, presented the study in late June at the Federal Trade Commission's PrivacyCon.

This discussion has been archived. No new comments can be posted.

More Than 1,000 Android Apps Harvest Data Even After You Deny Permissions

Comments Filter:
  • It's always on, and so is the camera. Well maybe not the camera. That heats up the phone a bit.

    • (Instagram, 2 minutes later)

      CrazeeKoolCameras
      Sponsored

      Looking for an amazing camera? Crazy deals on the camera that rocked Shark Tank and is disrupting a 5 jillion dollar industry!

    • From the OP

      Permissions on Android apps are intended to be gatekeepers for how much data your device gives up.

      No, most permissions on Android were not written with that purpose in mind.

  • Lawsuit (Score:4, Interesting)

    by Your_spleen ( 5430822 ) on Monday July 08, 2019 @11:53AM (#58891120)
    Is there any basis I wonder to initiate a class act lawsuit against Google and Apple for misleading customers on what control (if any) they have over their devices? If I say I don't want an app to have access to specific aspects of my system, that should be definitive, not just loosely implemented .
    • Re: (Score:3, Insightful)

      by ptaff ( 165113 )

      Google and Apple for misleading customers on what control (if any) they have over their devices?

      You forfeit all your rights when running proprietary software. You don't control the software, the software controls you. You should know that by now.

      • I think the problem is that the companies are misrepresenting what's happening with your data. That's just simple fraud when it comes down to it and is already illegal without specific provisions related to data privacy. If something doesn't work as advertised either Google, et al. need to stop advertising it in that way or they need to ensure that it works as advertised. And they absolutely are in a position to punish the developers that try to break those protections.
      • You forfeit all your rights when running proprietary software. You don't control the software, the software controls you. You should know that by now.

        The last time I checked Android is not proprietary software.

        It's open source product of an advertising company which exists entirely to maximize profit by collecting your personal information while shoving advertisements in your face.

        If you have the means I suggest judging software on individual merit rather than dogmatic ideology.

      • by tsa ( 15680 )

        How is that different from Open Source software that you didn't make yourself?

    • Is there any basis I wonder to initiate a class act lawsuit against Google and Apple for misleading customers

      Google: Yes.
      Apple: No.

      Apple isn't responsible for defects in Android.

    • Is there any basis I wonder to initiate a class act lawsuit against Google and Apple for misleading customers on what control (if any) they have over their devices? If I say I don't want an app to have access to specific aspects of my system, that should be definitive, not just loosely implemented .

      It is definitive, except that app developers have come up with ways to gather information that Google didn't consider. You can say that Google should have considered them... but this is the nature of security, it's a constant arms race, and there will always be clever people who come up with techniques that hadn't been previously considered.

      In this case, it appears that apps that have permission to access your photos are examining the EXIF information in the photos to find out where they were taken. So

      • It is definitive, except that app developers have come up with ways to gather information that Google didn't consider.

        Like what?

        You can say that Google should have considered them... but this is the nature of security, it's a constant arms race, and there will always be clever people who come up with techniques that hadn't been previously considered.

        I suspect most people are clever enough to see why reactive security is not a winning strategy.

        In this case, it appears that apps that have permission to access your photos are examining the EXIF information in the photos to find out where they were taken. So whenever you take a photo, these apps get a fix on your location.

        Very seldom do people actually want to give apps access to their photos. What is actually happening is apps are DEMANDING generic access to storage. A take it or leave it demand without any possibility of user applying constraints limiting what folder(s) can be accessed or given any ability to review and authorize access requests.

        Other apps that have network permission examine the IP external IP address (easy to do: just ping a remote server and see what the source IP is) and use that to geolocate you.

        Geo IP is worthless you get city or part of town if lucky that's it.

        What

    • Not sure if we can still go after the giants but i think as the web3 emerges privacy and data will become huge concerns and companies that will win web3 will have no choice but to transparently address this
    • If I say I don't want an app to have access to specific aspects of my system, that should be definitive, not just loosely implemented .

      Is there any fraud here?

    • I din't know why you're including Apple here. They've been pretty up front about how they handle your data and how the permissions work. As far as I know, they haven't had a lot of troubles with this stuff when it comes to anything controlled with an explicit permission. The problems mainly stem from apps with cross platform frameworks designed to leak your data that are supposed to make app development easier for lazy or uncaring devs.

  • The smartphone app industry seems to be a bunch of immoral data collectors. If there were any in that industry who were of a different value-set, you would think they would raise significant concerns about this type of behavior. But they don't. Indeed, they are probably annoyed that they didn't think up these ways to bypass security and customer preference selections for their own use.
    • I've had enough conversations with mobile devs to know this is the case. Devs who started in mobile app development are a completely different breed from your old grognards who wrote system software. Many of these assholes are adamant that they are entitled to their user's data because its their app and anything that happens while their code is running belongs to them. I have no idea how this mentality started.

    • Flamebait? There must be a smartphone app developer with mod points. :)
  • by Anonymous Coward on Monday July 08, 2019 @12:31PM (#58891362)

    Although it is quite a technical hurdle to overcome the challenges presented in this article, it is not impossible.

    People need to become smarter with the products and services they use. That being said, if you use a cellphone, you should know how to make that device private using open source software.

    Purchase a phone that has an unlocked bootloader (highly suggest OnePlus), and then flash all of that spy/bloat ware off and use a fully open source custom ROM.

    Install FDroid (The Free/Libre Open Source Software app store) and use the apps available there. If you still need access to Google Play apps that provide push notifications, checkout the microG project which can fulfil these functions for you without the bullshittery that Google comes with.

    And for the love of God, stop installing closedsource malware apps on your devices unless you can quarantine them at all times using AFWall+ (rooted phone) or NetGuard (non-rooted phone).

    If you do not understand how these things work, then maybe you should do some DuckDuckGo searching and figure it out because your naivety is all being exploited, or stop using smart phones.

  • Burn it with fire.

  • by GuB-42 ( 2483988 ) on Monday July 08, 2019 @12:41PM (#58891412)

    The techniques used to circumvent permissions seem to fall into 2 categories.

    Side channels:
    App 1 has permission, app 2 doesn't. There is a communication channel between app 1 and app 2 (ex: a file on the SD card). App 2 ask for data through app 1.

    Exploitation of the network stack:
    Using standard networking system calls, it is possible to get things like the MAC addresses, which allow for unique identification or and some level of localization.

    • Exploitation of the network stack:
      Using standard networking system calls, it is possible to get things like the MAC addresses, which allow for unique identification or and some level of localization.

      I think it's stronger than that. Using standard networking system calls you can send a message to a remote server, which can then discover the IP address of your device (or, more likely, the IP address of the NATing router it's talking to). If you're on Wifi, that IP address almost certainly corresponds to a fixed geographical location, which can be geolocated.

      No platform ability to read details of the hardware or network stack configuration is needed. The simple ability to connect to a remote server i

      • I think it's stronger than that. Using standard networking system calls you can send a message to a remote server, which can then discover the IP address of your device (or, more likely, the IP address of the NATing router it's talking to). If you're on Wifi, that IP address almost certainly corresponds to a fixed geographical location, which can be geolocated.

        No platform ability to read details of the hardware or network stack configuration is needed. The simple ability to connect to a remote server is all that is required to geolocate you. This means that any app with the network access permission implicitly has location permission.

        Absolutely not. These things are nowhere close to being the same.

        MAC addresses have been globally systematically mined and associated with precise locations of nearly every AP in existence actively belching beacons to determine precise location of every bloody last AP.

        Obtaining precise location from public facing Internet addresses is much more difficult than getting a list of MACs for a variety of reasons. Public addresses are not exposed to the public and cannot be systematically mined in this way. The

        • You didn't read my post. I'm fully aware of the distinction between IP and MAC addresses (a couple of decades ago I wrote a TCP/IP stack from scratch for an embedded system that for various reasons couldn't use any of the available options). Public IP addresses are also trivially easy to get, and even though DHCP does result in router IPs changing a bit they're (a) remarkably persistent and (b) tend at least to be localized to a relatively small area, e.g. one DSLAM which serves a block.

          Geolocation of IP

          • You didn't read my post.

            I read your post.

            I'm fully aware of the distinction between IP and MAC addresses

            What you are aware of is irrelevant. Only what you express with actual words matters. I read no capability distinctions proffered by you. If you feel this is untrue or unfair please feel free to quote accordingly. What I did read from you seemed like a very clearly defined attempt to pull a whataboutIP when issue of MACs were brought up.

            a couple of decades ago I wrote a TCP/IP stack from scratch for an embedded system that for various reasons couldn't use any of the available options

            I assume you and everyone reading this knows the difference between an L2 and L3 address. My intention was not to insult anyone's intelligence.

            Public IP addresses are also trivially easy to get,

            Yes of c

            • Public IP addresses are also trivially easy to get,

              Yes of course they are given they are public. Yet the fact remains you can't execute a systematic location data mining operating of public IPs without associating with the access points and sending data. That kind of data mining would probably land the people doing it in jail and unless the AP was open likely wouldn't be practical to implement.

              That kind of data mining has been done and is being done by many companies, for both IPs and SSIDs. There are lots of high-quality geolocation services out there that will give you the location associated with any IP address. If you allow a web site to determine your location from a desktop or laptop, the location that it comes up with is based solely on such IP/physical address mapping databases, and it's amazingly accurate. For example, on your desktop or laptop, go to Google Maps and hit the little "l

              • That kind of data mining has been done and is being done by many companies, for both IPs and SSIDs. There are lots of high-quality geolocation services out there that will give you the location associated with any IP address. If you allow a web site to determine your location from a desktop or laptop, the location that it comes up with is based solely on such IP/physical address mapping databases, and it's amazingly accurate. For example, on your desktop or laptop, go to Google Maps and hit the little "location" button in the lower right corner, and Maps will show you its estimate of your location based on your IP. It's often very close.

                I just tried it and coordinates displayed in the map are just over three miles away as crow flies. Do the same thing on an ancient apple iPod without a GPS or cellular radio and it shows my precise location to within 20 feet using AP MAC data.

                There is no credible comparison to be had between the two.

    • Side channels:
      App 1 has permission, app 2 doesn't. There is a communication channel between app 1 and app 2 (ex: a file on the SD card). App 2 ask for data through app 1.

      And don't expect the side channels to go away. Because Google, the purveyor of Android, uses them itself:
      - App 1 = Google Play services
      - App 2 = Maps (and probably others as well).

      Try this:
      - In Settings -> General -> PHONE MANAGEMENT -> Apps
      - Disable Google Play Services (and pretty much anything el

      • But [Maps] apparently reports your location back to Google ...

        And perhaps other stuff as well. Who knows?

      • Of course it DOES work just fine (at least for the functions I've tried). But it apparently reports your location back to Google by forwarding it through Google Play services, and tries to sucker you into reenabling it if you've turned it off.

        Google has become a nag factory.

        Whether constant nagging from behind Google's search monopoly to switch to Chrome or constant retaliatory prompting in basic phone and messaging that would work just fine with Google play disabled if not for the never ending constant nagging that requires replacement in order to restore usability / user sanity.

        Google has gone from don't be evil to waging nag wars of attrition against users.

  • Trickier (Score:5, Insightful)

    by rjstanford ( 69735 ) on Monday July 08, 2019 @12:57PM (#58891528) Homepage Journal

    Its a little trickier than it appears - although a lot of the problems do indeed seem to be bugs in the OS or the permissions handling. Here's just one scenario that might surprise a user when we try to make them responsible for complex permissions interactions.

    Let's say that you allow the camera to use location information, which is a normal and reasonable thing to do.
    Now let's say that you disallow an app to use location information, also reasonable.
    Finally, let's say that you allow the app permission to access the camera, because it wants to upload a photo of something - quite a lot of apps do this, after all.

    All seems reasonable to the user, and they've done the Right Thing. But now let's say that the app periodically chooses to take a photo, read the embedded coordinates, and delete the photo if it was added to your library. Now it knows where you are, even though you've done your best as an informed consumer to prevent that from happening.

    Without the kind of annoying app review that Apple brings to the table, its very hard to prevent things like this - even with human review it's not easy. Getting the permission chains reasonable but still allowing people to swap in/out their own helper apps of choice (maps, keyboards, etc) makes this even harder.

    • Its a little trickier than it appears - although a lot of the problems do indeed seem to be bugs in the OS or the permissions handling. Here's just one scenario that might surprise a user when we try to make them responsible for complex permissions interactions.

      Android problems are structural, very much intentional and only getting worse. Take it or leave it access demands and the continued aggregation and watering down of access rights are largely responsible. Specific example of things getting much worse: Network access is no longer even displayed as an enumerated privilege.

      Let's say that you allow the camera to use location information, which is a normal and reasonable thing to do.

      I have two issues with this:

      First I do not believe it is reasonable and normal for camera to use location.

      Second and most importantly the camera is hardware and permissions are applied to in

  • So Google, when are you going to unfuck this?
  • The only way to achieve a reasonable degree of privacy on Android is:

    1. Unlock your phone bootloader.
    2. Install a Google apps free AOSP ROM.
    3. Install microG (an open source reimplementation of some Google services).
    4. Install F-Droid and get FLOSS-only apps from there.

    If in step two you install "Lineage OS for microG" distro, you already have steps 3 and 4.

    Following this route is not easy, and you will miss non-free apps, but if you value privacy, it is the way to go (and not the stupid suggestion of buyin

  • Don't use proprietary apps. This is what you reap when you do

You are always doing something marginal when the boss drops by your desk.

Working...