Researchers at the International Computer Science Institute (ICSI) are discovering vulnerabilities that allow applications to obtain certain information from your smartphone even if you refuse to provide it. New security measures are already planned on Android Q.
On Android as on iOS, when an application wants to access certain information on your mobile, such as geolocation, it must first ask you for permission. And from an ergonomic point of view, Google and Apple have made these permission requests clearer for users.
But obviously, on Android, even when you deny access to an application, it is still possible that it bypasses the mechanism in order to access certain data.
This is what researchers at the International Computer Science Institute (ICSI) are discovering, having tested and analyzed the behavior of more than 88,000 Android applications, among the most popular on the Play Store. And their conclusion is that more than a thousand third-party applications or libraries are able to collect data that has not been authorized by the user, bypassing the mechanism imposed by Google on Android. The data concerned include unique identifiers such as MAC addresses or the device’s IMEI, as well as geolocation data.
Bypassing Google’s policies
Two techniques for collecting this data are highlighted. One, the side channel, exploits information that is not covered by the operating system’s security mechanisms. The other, the “covert channel”, involves sharing information between two applications.
For example, the study refers to two Chinese third party libraries (Baidu and Salmonads) that used a covert channel. The researchers state that if an application using the library was able to obtain the IMEI from the phone, this information is stored by the library. Then, it can be read by other applications using the same library, without asking permission.
The results of the study have already been shared with Google and the FTC (US regulator). And in addition to rewarding researchers with a bonus, Google is already working on a way to block these new ways of accessing user data. Unfortunately, these features are announced for Android Q. And we know that for the majority of Android users, the most recent version of the OS will take a long time to arrive after its official release.