The nonprofit research center, International Computer Science Institute, in partnership with the University of California at Berkely analyzed thousands of popular apps, including Google Play, and discovered that apps regularly that don't have permission to access personal data, are gotten through other apps that the user has okayed. In doing so, the apps resort to what is called “side” or “covert channels” to cultivate personal information.
“Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission, whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions,” said the study adding that both side and covert channels pose serious threats to user’s privacy.
“The use of covert and side channels is particularly troublesome as their usage indicates deceptive practices that might mislead even diligent users,” wrote the researchers.
The researchers studied more than 88,000 apps across each category available from the Google Play Store. They reported that approximately 60 apps, downloaded more than a million times by users are already using the side-step practice, and hundreds of others are designed with a codification system that can also allow them to function that way.
In other cases, users often allow access to personal data without fully understanding the implications. For instance, photos that indicate the time and place they were taken provide location information that some apps send to their servers when the user did not outrightly agree to divulge that info.
Moreover, the Android system makes it hard to know “with whom it may share [the information] and under what circumstances,” the report underlines, saying the only way to answer this question is by looking over the apps’ network traffic, which requires effort and technical know-how because apps often use different codes and complicated techniques to transfer data.
The researchers said they disclosed their findings to Google and to the United States Federal Trade Commission (FTC) and received a 'bug bounty' for their work. Google said it will address these problems next year as part of the next big Android update, called Android Q.
The company said that next year’s update will fix this issue by blocking, by default, an app's ability to gain access to time and geolocation on the Android Q interface.
The update will also require apps that collect geolocation information from wifi and Bluetooth connections to have permissions.
The study raised concerns over the way big tech companies collect and use users' personal data and the way they protects privacy. Google CEO Sundar Pichai said earlier this year that his company provided the consumers with the tools that can allow them to decide whether or not they want to share their data. However, tech giant leader conceded the company could do much more in this area.