The framework of Android and iOS is primarily based on permissions that clearly define which sensitive services, device capabilities, or user information an app can access, allowing users to decide what apps can access.


New findings by a team of researchers at the International Computer Science Institute in California revealed that mobile app developers are using tricky techniques to harvest users’ data even after they deny permissions.

In their talk “50 Ways to Pour Your Data” at PrivacyCon hosted by the Federal Trade Commission last Thursday, researchers presented their findings that outline how more than 1,300 Android apps are collecting users’ precise geolocation data and phone identifiers even when they’ve explicitly denied the required permissions.

The researchers wrote:

“Apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels”

Researchers studied more than 88,000 apps from the Google Play store, 1,325 of which were found violating permission systems within the Android operating system by using hidden workarounds that allow them to look for users’ personal data from sources like metadata stored in photos and Wi-Fi connections.


Researchers found a photo-editing app, called Shutterfly, that collects location data of a device by extracting GPS coordinates from the metadata of photos, as a side-channel, even when users declined to grant the app permission to access location data.

“We observed that the Shutterfly app sends precise geolocation data to its own server ( without holding location permission.”

Moreover, it should be noted that if an app can access the user’s location, then all third-party services embedded in that app can also access it.

Researchers found 13 other apps with more than 17 million installations that are accessing phone’s IMEI, a persistent phone identifier, stored unprotected on a phone’s SD card by other apps

“Android protects access to the phone’s IMEI with the READ_PHONE_STATE permission. We identified two third party online services that use different covert channels to access the IMEI when the app does not have the permission required to access the IMEI.”

According to researchers, third-party libraries provided by two Chinese companies, Baidu and Salmonads are also using this technique as a covert channel to gather data they otherwise didn’t have permission to access.

Apps were found using the MAC address of the Wi-Fi access point to figure out the user’s location. Apps that function as smart remote controls, which otherwise do not need location information to function, were found collecting location data in this way.

Researchers wrote:

“We discovered companies getting the MAC addresses of the connected Wi-Fi base stations from the ARP cache. This can be used as a surrogate for location data. We found 5 apps exploiting this vulnerability and 5 with the pertinent code to do so,”

“Additionally, knowing the MAC address of a router allows one to link different devices that share Internet access, which may reveal personal relations by their respective owners, or enable cross-device tracking.”

In their study, researchers successfully tested these apps on an instrumented version of Android Marshmallow and Android Pie.

In their study, researchers successfully tested these apps on an instrumented version of Android Marshmallow and Android Pie.


Researchers reported their research to Google, and the company paid the team a bug bounty for responsibly discussing the issues.


Users are advised not to trust third-party apps and turn off location and ID permission settings for apps that do not need them in order to function. Also, uninstall any app you don’t regularly use.
The fixes will be rolled out with the release of Android Q.

Related Story:

Privacy At Risk! Android Apps Capturing Loud Speaker Data Without Permission.

Stay Tuned For More Updates (IST)

373 total views, 5 views today

Leave a Reply

Your email address will not be published. Required fields are marked *