If you are using Android, there is a good chance you have encountered data permissions, a dedicated prompt to choose what data an app should get access to.
It is a nifty feature, but a group of researchers has revealed that thousands of apps have developed workarounds to mine information, like your location, even without explicit data-access permission.
Here's all about this strange practice.
Over 1,000 apps found mining data without permissions
Android data permissions keep developers from accessing pieces of information they are not supposed to have.
However, a research team from the International Computer Science Institute has discovered as many as 1,325 apps circumventing these restrictions, CNET reported.
They found these programs from a study of 88,000 apps and tracked how exactly they extracted personal data without proper access.
Apps using photo geo-location
According to the researchers, some of the flagged apps appear to be using photo metadata, geolocation to be exact, to track users.
Shutterfly, a popular photo-editing app, was found using this technique; it extracted GPS user coordinates from photos and transmitted that data to its own servers.
However, weirdly enough, the company has disputed the claim, saying it doesn't collect data illegally.
Apps piggybacking on other apps for gathering data
Some apps, the researchers said, take the help of other programs built on the same software development kit (SDK) to gather information without permissions.
Specifically, these apps access information through apps that have been given permissions by the user.
The approved app stores data in an unprotected folder in the SD card, giving the restricted app an opportunity to mine data.
Popular apps found using the 'piggybacking' technique
Nearly 153 of the flagged apps had the ability to piggyback on a second app, including Samsung's Health and Browser apps as well as those offered by Disney. Also, the method worked for stealing confidential device identifiers like IMEI numbers and more.
Leveraging Wi-Fi network for location
The final technique stemmed from extracting the MAC address of your networking chip and router, wireless access point, its SSID, and more.
Apps for smart remote control gathered this information, giving developers a surrogate way to approximate location data.
The researchers plan to release more details about these 1,325 programs at a conference next month.
Fixes coming in Android Q
Having said that, it's imperative to note that Google has already been apprised about these vulnerabilities and the company is working to issue some fixes in Android Q by hiding photo metadata and requiring apps accessing Wi-Fi to seek location permissions.