You could admire the tenacity if it didn’t come with such trickery: After years of effort by Google to stop Android apps from scanning users’ data without permission, app developers keep trying to find new work-arounds to track people.
A talk at PrivacyCon, a one-day conference hosted by the Federal Trade Commission last Thursday, outlined a few ways apps are prying loose network, device, and location identifiers.
Officially, apps generally interact with Android through software hooks known as APIs, giving the operating system the ability to manage their access. “While the Android APIs are protected by the permission system, the file system often is not,” said Serge Egelman, research director of the Usable Security and Privacy Group at the University of California at Berkeley’s International Computer Science Institute. “There are apps that can be denied access to the data, but then they find it in various parts of the file system.”
In a paper titled ‘50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System,’ Egelman and fellow researchers Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, and Narseo Vallina-Rodriguez outlined three categories of exploits discovered through an array of tests.
One common target, Egelman explained Thursday, is the hard-coded MAC address of a WiFi network—”a pretty good surrogate for location data.”
The researchers ran apps on an instrumented version of Android Marshmallow (and, later, on Android Pie). Deep-packet inspection of network traffic found that apps built on such third-party libraries as the OpenX software development kit had been reading MAC addresses from a system cache directory. Other apps exploited system calls or network-discovery protocols to get these addresses more directly.
Egelman added that the workings of these apps often made the deception obvious to researchers: “There are many apps that we observed which try to access the data the right way through the Android API, and then, failing that, try and pull it off the file system.”
Obtaining a phone’s IMEI (International Mobile Equipment Identity), an identifier unique to each device, can be even more effective for persistent tracking. The researchers discovered that advertising libraries from Salmonads and Baidu would wait for an app containing their code to get permission from the user to read the phone’s IMEI, then copy that identifier to a file on a phone’s SD Card that other apps built on these libraries could read covertly.
“This corresponds to about a billion installs of the various apps that are exploiting this technique,” Egelman warned.
Finally this team observed the Shutterfly photo-sharing app working around the lack of permission for location data by reading geotags off photos saved on the phone—and then transmitting those coordinates to Shutterfly’s server. Shutterfly communications director Sondra Harding responded in an email on Tuesday, saying the app only reads photos after a user allows access: “There are multiple opportunities in the user experience for granting this permission, including opting in to auto-upload, pulling a local photo into a product creation path, the app settings, etc.”
This study and another presented Thursday—’Panoptispy: Characterizing Audio and Video Exfltration from Android Applications,’ by Elleen Pan of Northeastern University with Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes—did not, however, report evidence that Facebook’s apps were exploiting any loopholes to surreptitiously listen to ambient real-world audio.
The theory that Facebook or others are doing that keeps coming up despite strenuous, on-the-record denials—and in any case, the current Android Pie release blocks apps from recording audio or video in the background.
Egelman concluded his talk by saying Google paid his team a bug bounty for disclosing these vulnerabilities and promised fixes for them in the upcoming Android Q release. He called that not good enough, saying “The vast majority of Android users have older devices and won’t be getting over-the-air updates that patch this vulnerability.”
In the meantime, users can only try to stay out of trouble. In his talk, Egelman offered one option: searching the AppCensus database of the research findings. He didn’t mention another: sticking with a company’s mobile site instead of installing its app and hoping it minds its own business.