Android Q, the next version of Google's mobile OS, is set to fix Android's broken permission system. However, versions in use now give developers easy ways to get around user preferences for apps not to track their location and device.
Researchers from the International Computer Science Institute (ICSI) detail in a new paper that 1,325 Android apps – some of which are installed on 500 million phones – are using sneaky but easy tricks to get around restrictions in the Android permissions model.
The permissions model is meant to let users deny an app access to information such as their location data or unique device identifiers.
SEE: IT pro's guide to the evolution and impact of 5G technology (free PDF)
The researchers scanned over 88,000 apps for signs of developers employing side and covert channels to gather information that would allow software makers and advertisers to track users across devices, websites and apps.
This tracking could include accessing shared storage on an SD card to obtain information, such as a device's IMEI number, which should not be accessible if the app obeyed a deny on the READ_PHONE-STATE permission.
The IMEI is a useful for tracking purposes because, unlike the Advertiser ID, it cannot be reset or changed.
The researchers found one SDK, from a Chinese ad firm called Salmonads, writing a file to shared storage containing the device's IMEI and giving all other apps that embed the SDK access to that information too.
The same technique has been used by an SDK from Chinese search giant Baidu, with eight popular apps found to be sending the IMEI of devices to a Baidu server.
These included Disney Hong Kong and Shanghai apps, Samsung's Health app, and Samsung's browser. Some apps legitimately acquire the IMEI, but others acquire the information from the SDK without user permission.
"Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it," Serge Egelman, one of the paper's authors told ZDNet sister site, CNET.
"If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless."
The researchers also found apps acquiring the Router MAC address without permission, allowing developers to link multiple devices that share the same network. This is done by opening the /proc/net/arp and reading the ARP cache, giving away router-based geolocation information.
Egelman informed Google and the FTC about these issues in September and Google says they are addressed in Android Q, due out later this year.
Devices that ship with or are upgraded to Android Q will offer users better controls to prevent some of the techniques detailed by the researchers.
Developers will, for example, need request a special permission before they can access the device IMEI and serial number. Android Q will also now transmit a randomized MAC address for all communications. And the version has dropped /proc/net function altogether.
More on Android security