Researchers at the International Computer Science Institute studied 88,000 apps from the Google Play store and discovered that 1,325 of these apps are able to gather data even if they have been denied permissions. Their research was presented at the Federal Trade Commission's PrivacyCon this past June. Serge Egelman, director of usable security and privacy research at ICSI, remarked at the conference that, "If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless."
Some of these apps were able to collect data from WiFi connections and metadata stored in photos. For example, Shutterfly had been taking GPS locations from photos, even if the user has denied the app this permission. Some apps would actually gather data from other apps which had been granted permissions. If a user had allowed one app to gather data from their device's SD card, another app could do the same. The researchers found that the Samsung Health and Browser apps had these capabilities.
ICSI researchers have informed Google about their discoveries. Google promises that this issue will be addressed in Android Q. Apps will no longer be able to gather geolocations from photos. Users will also need to grant apps that access WiFi location data permissions. Android Q should be available later this year.
Another study recently concluded that Google Play hosts thousands of counterfeit Android apps. The researchers discovered nearly 50,000 counterfeit apps. Over 2,000 of these apps also contained malware and another 1,500 apps asked for potentially dangerous permissions.
Google Play is not the only vulnerable app store. A mobile security firm discovered that an Apple App Store carrier assistance app was able to sneakily access a user’s contacts, audio recordings, photos, videos, and other data. The app abused Apple’s security certificates to gain a wide range of permissions. Let’s hope that the major app stores will work more in the future to prevent malicious apps and protect users’ privacy.