According to security professionals, application developers are hard at work exploiting flaws in Android security to learn more about you and your phone usage than what you consented to.
In simplistic terms, if your phone was your house, the sets of permissions would be the rooms in your house. So, you may invite a handyman into your home and be happy for them to access the rooms they need to work in.
But you’d want to make sure they stayed out of your bedroom and your study. Or your vault full of gold coins that you sometimes swim through.
Similarly, when you invite an app onto your phone, you want it to have the correct permissions for the work it needs to do and no more.
However, according to a study presented at PrivacyCon 2019, app makers making use of certain Source Development Kits (SDK) are finding ways around the permissions system.
In general terms, an SDK is a framework for creating applications on an environment, namely android in this case.
It’s a way of documenting and distributing development tools for specific environments.
In this case, SDKs built by Baidu and Salmonads, both Chinese firms, could allow Android apps using the same SDK to pass data to each other and then to their servers.
Using the house analogy, this is essentially like the handyman letting Mickey Mouse into your kitchen even though you only gave Mickey permission to jump around on the trampoline in the yard.
Alarmingly, the threat isn’t just from shady Android apps from small developers. The report identifies apps from Samsung and Disney that have hundreds of millions of downloads.
Additionally, the study focused on Shutterfly. Shutterfly is an Android photo app which does not ask permission to track your location.
However, the developers have worked around this by extracting your GPS information from the EXIF metadata in your photos; and sending actual GPS coordinates back to its servers.
Android has promised fixes for many of these vulnerabilities – some of which they’ve known about for a while – with the launch of Android Q. However Security experts are rightly warning that that’s too little late.
Adoption of the latest Android version is notoriously slow. By May this year, just 10.4% of Android phones were running Android P. With Android Q almost upon us, over 60% of Android users are still running the 4-year-old Android N.