Android users are often advised to restrict the application's access permissions to various data on smartphones. For example, photo editing apps aren't given access to contacts or locations, etc.Of course, the goal is to ban those apps from getting personal data on smartphones, including location.
However recently, researchers revealed that thousands of Android apps have a way to cheat the licensing system on Android. In addition to retrieving data, these applications also have the potential to track the user's smartphone presence.
As quoted from The Verge, Tuesday (9/7/2019), even if the user does not grant an access permission to a feature to application A, it seems likely that the application B has permission to the feature is shared with other applications. In fact, malicious apps can potentially read those data.
According to researchers, although applications A and B are unrelated, the cause is because the applications are built with the same software development Kit (SDK).
Therefore, the application could access the data, there is even evidence that the SDK owner received the same data.
Researchers like this application such as the little boy who asks Chocolate to his mother, because he is not given, he finally asks the father.
Based on the studies mentioned in PrivacyCon2019, the aforementioned applications include Samsung and Disney that have been downloaded hundreds of millions of times. These applications are built using the SDK developed by Baidu and the analytic firm called Salmonads.
Baidu and Salmonads SDK is apparently able to submit data from one application to another by saving it first to the user's smartphone.
Researchers see, some applications that use the Baidu SDK may secretly attempt to obtain this data for their own use.
Not only retrieving data, another problem found by the research team is that it can send unique MAC addresses from chips and routers, wireless access points, SSIDS, and various other data.
Director of security and privacy research at the International Computer Science Institute Serge Egelman says, "Access to the above hardware can know the location of the device."
Not only that, this study also mentions, Shutterfly photo application can send GPS coordinates to its server. But the user does not give permission to the application to access the location. This is done by retrieving location data from the photo metadata.
The company also denied that they collected the data without permission.
So far, researchers have mentioned, there have been improvements to this issue on Android Q, after they told Google about the issue of location data retrieval.
Unfortunately this will certainly not affect Android users whose devices are using OS under the Android version of Q.
The reason, as of May, only 10.4 percent of Android devices have been using the Android OS P, while, the remaining 60 percent of Android N is still in use.