Study Shows Over 1,000 Android Apps Gather Personal Data, Despite Permission Blocks

Researchers have found that more than 1,000 apps in the Google Play store are gathering personal data even when the user has denied permission.

That’s according to a new report from CNET, which explains that researchers at the International Computer Science Institute (ICSI) found that thousands of app on the Android app store manage to skirt restrictions and gather precise geolocation data and phone identifiers, without user consent.

The academic study, which was published on the FTC website, shows that 1,325 of the 88,000 apps that were studied collected such information as geolocation data and phone identifiers, even if the apps weren’t given the permission to do so. Some of the culprit apps include Shutterfly, Baidu, and Samsung Health.

Some apps used more nefarious methods than others. For example, around 13 of the apps researched piggybacked off of other apps to get access to user data. These apps, which were installed over 17 million times, could read through files that were unprotected and included the Hong Kong Disneyland app, which uses Baidu’s mapping service.

Some of these apps were also able to read through unprotected files on a device’s SD card and get access to data they didn’t have permission to access through circumnavigation, while other apps were gathering location data by connecting to the Wi-Fi network and obtaining the router’s MAC address.

Shutterfly, for its part, denies any wrongdoing. “Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement,” said the company in a statement to CNET.

Google has been made aware of these issues and should take action to avoid this kind of abuse on Android. You can read the full ICSI of 1,325 apps misusing and bypassing limitations here.