You’ve probably heard that Android smartphones are less secure than their iOS counterparts. And thought, whatever. As long as you set your app permissions and security settings correctly, there shouldn’t really be an issue, right?
Well, not really. Recent research has shown that hundreds, if not thousands, of apps have found a loophole in Android’s permission system; transmitting your device’s unique identifier and possibly location data as well. And if you set app permissions to prevent it from accessing personal data, the app can still access the data obtained by another app that has it in shared storage.
This is made possible by the fact that many apps are build using the same software development kits (SDK); the owners of these kits are also receiving this data, allegedly. If you’re wondering what apps are vulnerable, the list even includes apps from Samsung and Disney—pretty scary stuff.
These utilise SDKs built by Chinese company, Baidu, as well as an analytics firm called Salmonads. In fact, researchers found that apps developed using Baidu’s SDK may actually be storing this data as well.
There is more. Some apps also transmit the unique MAC addresses in your network and router, as well as your wireless access point and SSID. But the study, which was presented at PrivacyCon 2019, specifically mentions Shutterfly, the image processing app; the app sends GPS coordinates back to its serves regardless of permission settings. This data, according to the study, is taken from EXIF metadata within the photos. This allegation has been denied by Shutterfly, however.
Will this be fixed?
Google has been notified on the vulnerabilities within the system, which should mean that the loopholes will be patched in the upcoming Android Q update. But that doesn’t help the remaining Android users—especially devices that will not support Android Q when it’s officially rolled out.
Google hasn’t officially commented on the issue as of yet, but The Verge reports that Android Q will be hiding geolocation info from photo apps, while permissions should be tightened on accessibility to location metadata for apps.
[ SOURCE ]