Thousands of Android apps can track your phone

[Night_Hawk]

Thousands of Android apps can track your phone

A 3D printed Android logo is seen in front of a displayed cyber code in this illustration taken March 22, 2016. PHOTO: REUTERS

Like many of us, you are most likely under the illusion that your privacy is intact when you refuse to give an Android app permission to track your phone. However, this is not the case. According to researchers, numerous apps are now able to cheat Android’s permission system, phoning home your device’s distinctive identifier and enough data to be able to disclose your location.

Simply selecting “no” when an app asks for access to your personal information may not be enough to stop it. Another app that you have allowed access to could share this information with the other one or it could add your information to a shared storage system where other apps, maybe even malicious ones, can view it.

The apps are built with the same software development kits (SDK), which allows them to share data even if they don’t appear to be linked to each other. There is also proof that the SDK possessors are able to view the information.

Such apps include ones from the likes of Samsung and Disney which have been downloaded countless times as shown in a study at PrivacyCon2019. The SDKs incorporated in these apps have been created by Chinese search giant Baidu and an analytics organization, Salmonds, which have the ability to share your information between apps and servers. This is done by first storing the data locally on your phone. According to researchers, apps using the Baidu SDK might be trying to get a hand on this data under the table for personal use.

They also discovered various side channel vulnerabilities, some of which are able to access and send home data including the unique MAC addresses of your networking chip and router, wireless access point and its SSID. “It’s pretty well-known now that’s a pretty good surrogate for location data,” commented Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.

The research also mentions that Shutterfly, a photo app, sends your GPS coordinates back home by extracting them from your photos’ EXIF metadata even if you haven’t given it permission to track your location. The company denied this claim in a statement to CNET.

The researchers, who notified Google about these problems last September, say that some of them may be fixed in the Android Q. However, the problems will still exist in many current-generation Android phones that won’t receive the updates. (As of May, only 10.4 per cent of Android devices had the new Android P update installed, and over 60 per cent still had the nearly three-year-old Android N.)

In the meantime, the researchers suggest that Google roll out fixes within security updates to ensure that most Android users receive protection. “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here,” said Egelman.

Though Google declined to comment on the specific vulnerabilities, it told The Verge that Android Q will hide geolocation info from photo apps by default, and these apps will have to let the Play Store know if they have the ability to access location metadata.

Source
This article originally appeared on The Verge.

 

[1234567]

THanks for sharing but question why you feel the need to share it? Every App, every packet, every frame is trackable if somebody wants to.

 

[Night_Hawk]

That means if there is any news which is worthy of posting on the forum in your opinion it should not be shared.

 

[Night_Hawk]

Over 1,000 Android apps continue to harvest data including location even after you've DENIED permission, shocking report reveals

• Over 1,300 Android apps were found tracking personal data without consent
• Researchers say apps use Wi-Fi data and metadata in photos to track users
• The monitoring is done regardless of whether users' allow permission
• Some apps were able to access unique phone identifiers, the report found
• Google said it will fix the leaks in its upcoming Android Q operating system
• Researchers say that even permissions requests aren't enough to stop at least 1,000 Android apps from hoovering your personal data.
  
  According to a report presented at the Federal Trade Commission's PrivacyCon, 1,325 apps in the Google Play Store use workarounds built into their code to subvert users' requests not to harvest their information.
  
  To do so, the report says those apps turn to sources like Wi-Fi and metadata stored in users' pictures to help glean a unique signature and sometimes even a user's location.

The apps found to be sleuthing users' phones for personal data were identified out of 88,000 analyzed by researchers and include popular photo-sharing platforms like Shutterfly.

As reported by CNET, Shutterfly was found to be harvesting GPS coordinates from users' photos even despite the fact that many declined to share their location data within their device.

In some cases, researchers noted that apps were able to piggyback off of other apps permission and access protected files on a user's SD card.

Of the 88,000 apps assessed only 13 were discovered to be doing so.

Among those apps are Baidu's Disneyland App for the company's Hong Kong location.

Google said it plans to fix many of the personal data leaks with the upcoming release of its Android Q operating system, however, users with older devices not as equipped to handle new software may not have easy access to the update.

The research represents yet another fold in the tug-of-war between consumers and companies over the control of personal data.

While most research has been focused on apps and platforms that gather information through more official channels -- Facebook and Google chief among them -- less attention is paid to those that may be gleaning information through side-channels.
WHAT APPS MAY BE DOING THIS?
A study presented at the Federal Trade Commission's PrivacyCon found 1,325 apps in the Google Play Store have the ability to use workarounds built into their code to subvert users' requests not to harvest their information.
This includes popular apps such as:

• Shutterfly
• Baidu's Disneyland app (Hong Kong)
• Samsung Health & Browser apps

Google said it plans to fix many of the personal data leaks with the upcoming release of its Android Q operating system.
Increasingly, companies have been offering more options for users fed up with constant tracking and monitoring.

For instance, security updates announced in Apple's newest iOS 13 will notify users how an app is tracking them, including their location.

The feature will also reportedly ask users whether or not they want to continue granting location privileges to said apps.

The new iOS will also add more options to its permission requests, letting using choose if they want to allow access to their location all the time, on a case-by-case basis, or just once.
Source

 

[Night_Hawk]

Report: Google Android Lets Apps Track You Regardless of Permissions

According to a recent study, Google’s Android operating system is allowing more than 1,300 apps to bypass system permissions controlling access to user data to track users without their knowledge.

ZDNet reports that a recent study by the International Computer Science Institute (ICSI) claims that as many as 1,325 Android apps installed across 500 million Android devices have found methods to bypass the Android operating systems permissions system to continue to track users without their knowledge or consent.


ICSI researchers investigated 88,000 Android apps to determine if app developers were using covert channels to gather information about users which could be given to advertisers. One form of tracking could include accessing the shared storage on an SD card to obtain the devices IMEI number, information that should not be accessible by the app if the user had not given it “READ_PHONE-STATE” permissions.


Researchers found one software development kit by a Chinese ad firm called Salmonads which would write a file containing a device’s IMEI number to shared storage, giving other apps access to it. Chinese search giant Baidu used a similar method with eight different apps being found submitting data back to Baidu servers.


Serge Egelman, one of the paper’s authors told CNET, “Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it. If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless.”


Egelman stated that Google and the FTC have been warned about these issues and they have been addressed in the new version of the Android operating system, Android Q, being released later this year.


Google competitor Apple took a shot at the tech company recently via a large billboard located opposite Google’s sister company, Sidewalk Labs, in Toronto, Canada. Sidewalk Labs has been criticized recently for plans to build a smart neighborhood along Toronto’s eastern waterfront which will include sensors throughout the town to track people and collect data.


“We’re in the business of staying out of yours,” the billboard reads. A photo of the billboard can be seen below:

Source