More than 1,300 apps for Google’s Android mobile operating system have been found to be sharing sensitive information, even if users have explicitly denied them permission to do so.
This is according to research conducted by International Computer Science Institute (ICSI), which identified 1,325 apps that evade restrictions to harvest data including location information and phone identifiers.
The study, which examined more than 88,000 apps in the Google Play Store, found the offending apps used workarounds hidden in their code to circumvent the permissions settings and gather data from sources such as Wi-Fi connections and metadata stored in photos.
For example, one photo-editing app, Shutterfly, was able to obtain location data from GPS coordinates embedded in photos, even if users had refused it permission to access their phone’s location directly.
Other apps were able to gain location data by connecting to users’ Wi-Fi networks and figuring out the router’s MAC address, while some were able to read through unprotected files on a device’s SD card to harvest personal data.
Serge Egelman, director of usable security and privacy research at ICSI, said Google had been notified of these issues last September, along with the US Federal Trade Commission, but the tech giant will not be addressing the problem until the launch of Android Q later this year.
Mr Egelman added: “Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it. If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.”
Google has said that Android Q will have measures to prevent these workarounds, such as hiding location information in photos from apps and requiring any apps that access Wi-Fi to also have permission for location data.
It is expected to be available in September – though as is usually the case with major Android updates, it may take a while to filter through to every device.