Over 1,000 Android apps collect personal data from those who download them without ever having received permission to do so, according to a report presented at the Federal Trade Commission’s PrivacyCon 2019.
Researchers from the International Computer Science Institute found that the apps were able to gather data without obtaining user consent by using a workaround hidden in their code. The apps were then able to keep tabs on the device’s unique identifier, which enabled them to harvest personal data from sources like Wi-Fi connections.
"Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it," Serge Egelman, director of usable security and privacy research at ICSI, said at the conference. "If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless."
The Shutterfly app was found to have collected location data without user permission, and the app for Hong Kong Disneyland accessed phone identifications that other apps had stored unprotected on a device’s SD card.
"The number of potential users impacted by these findings is in the hundreds of millions," the researchers said. "These deceptive practices allow developers to access users' private data without consent, undermining user privacy and giving rise to both legal and ethical concerns."
The researchers are set to share more details about the study at a Usenix Security conference in August. The team added that fixes for the security vulnerabilities are expected in the soon-to-be-released Android Q.