The way Google has set up Android permissions lets you have granular control over each app. It's pretty straightforward actually.
If you want an app to have access to your camera but not your contacts, you can set it up like that. But what do you do when the app ignores your rules?
According to a new study by an international group of researchers, presented recently at PrivacyCon 2019, thousands of apps have found ways to bypass these restrictions, and are gathering enough data to not only identify you, but also reveal your location.
The thing is, these apps aren't even using malicious code that circumvents your security, they're just making use of loopholes in the system. Even if you say no to one app seeing your data, a different app you've allowed the permissions can share that with the first one.?
And this list includes at least 1,325 apps, many of them from major companies like Samsung and Disney, that have each been downloaded hundreds of millions of times. These apps may not be directly related, but the researchers point out that they all use the same software development kit (SDK) made by Chinese Internet giant Baidu and an analytics firm called Salmonads. Some of these apps using the SDK also attempt to quietly obtain your data for themselves too.
In particular, photo app Shutterfly was singled out in the paper. That's because the app was sending actual GPS coordinates of the user's phone back to its servers without getting permission to track locations. It was doing this gathering data from photos' EXIF metadata on your device, though the company is denying that.
If it's any consolation, the findings were disclosed to Google a month ago, and they say they've introduced changes in Android Q to fix this. Just how well that works remains to be seen, and of course it won't work with devices incompatible with the new OS version.