Permission-greedy apps delayed Android 6 upgrade so they could harvest more user data

App devs delayed upgrading apps, but lost in the long run due to more negative reviews and less Play Store visibility.

App permissions

CNET

Best Phones for 2019

Our editors hand-picked these products based on our tests and reviews.

Read More

Android app developers intentionally delayed updating their applications to work on top of Android 6.0, so they could continue to have access to an older permission-requesting mechanism that granted them easy access to large quantities of user data, research published by the University of Maryland last month has revealed.

The central focus of this research was the release of Android (Marshmallow) 6.0 in October 2015. The main innovation added in Android 6.0 was the ability for users to approve app permissions on a per-permission basis, selecting which permissions they wanted to allow an app to have.

Google said it was rolling out this new app permission model so users could avoid having to install apps on their phones that requested too many permissions.

Further, Google also moved the permission request popup when the app launched, instead of before installation, and by doing so, allowing users to launch apps and deny all permissions -- if the permissions weren't critical to app's mode of operation.

This was a game-changer at the time. Prior to Android 6.0, users had to grant apps access to permissions at installation time, without the ability to select which permissions each app had access.

Google gave app makers three years to update

As the Android ecosystem grew, app developers made a habit of releasing apps that requested a large number of permissions, many of which their apps never used, and which many developers were using to collect user data and later re-selling it to analytics and data tracking firms.

This changed with the release of Android 6.0; however, fearing a major disruption in its app ecosystem, Google gave developers three years to update their apps to work on the newer OS version.

This meant that despite users running a modern Android OS version -- like Android 6, 7, or 8 -- apps could declare themselves as legacy apps (by declaring an older Android Software Development Kit [SDK]) and work with the older permission-requesting mechanism that was still allowing them to request blanket permissions.

Two-year-long experiment

In research published in June, two University of Maryland academics say they conducted tests between April 2016 and March 2018 to see how many apps initially coded to work on older Android SDKs were updated to work on the newer Android 6.0 SDK.

The research duo says they installed 13,599 of the most popular Android apps on test devices. Each month, the research team would update the apps and scan the apps' code to see if they were updated for the newer Android 6.0 release.

"We find that an app's likelihood of delaying upgrade to the latest platform version increases with an increase in the ratio of dangerous permissions sought by the apps, indicating that apps prefer to retain control over access to the users' private information," said Raveesh K. Mayya and Siva Viswanathan, the two academics behind the research.

For context and to clarify, the quote above features the expression "dangerous permissions." This refers to app permissions which Google considers dangerous and requires specific user approval via a popup. Apps can also request permissions for which they don't need to request user approval. Basically, "dangerous permissions" in the quote below refers to the permission prompts regular users usually see on their devices.

Furthermore, the two researchers also organized permissions into essential and non-essential to the app's functioning. After apps updated to Android 6.0, researchers said that apps continued to request access to essential apps -- as it was a must -- but many apps lowered the number of non-essential permissions they were asking.

And, ironically, the research team also found that app makers who delayed upgrading their apps to the newer Android 6.0 in order to keep access to a simpler system for harvesting user data received more negative ratings.

These negative ratings eventually affected the apps' visibility on the Play Store, where positively-reviewed apps are placed higher in search results and recommendations.

Additional details about this research can be found in a white paper named "Delaying Informed Consent: An Empirical Investigation of Mobile Apps' Upgrade Decisions" that was presented in June at the 2019 Workshop on the Economics of Information Security in Boston.

Related cybersecurity coverage: