Scores of Android Apps Collect Data Without Your Permission

New research found more than 1,000 Android apps collected data without users permission.
Donna Fuscaldo
A person using apps on a mobile devicehocus-pocus/iStock

It's not just Amazon's Alexa that is ignoring your data requests.

A new report from researchers for the Federal Trade Commission found more than 1,000 Android apps collect location and mobile phone data on consumers, even if they did not give the app permission to access that information. 


"Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources. However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels," wrote the researchers in a sprawling report.

"Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions. Both pose threats to user privacy."

Researchers Studied More than 88,000 Android Apps

To come to the conclusion that more than 1,000 apps are ignoring consumer's requests and accessing data, researchers looked at over 88,000 apps across each category in the U.S. Google Play store.  The privacy-abusing apps include Shutterfly, the photo-sharing Website and Hong Kong Disneyland. 

The researchers found Shutterfly collected GPS data from mobile phones and sent the data to its internal servers.  In a statement to CNET, Shutterfly said regardless of what the researchers found it only collects GPS data on those that give it permission.

Most Popular

 "Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly's privacy policy as well as the Android developer agreement," the company said in the statement. 

In the case of Hong Kong Disneyland, it was among the apps that rely on other apps to give it permission to access personal data. Using what the researchers called covert channels, the apps would access unprotected files on the SD card of the device and store the data.  There were only 13 apps engaging in this privacy crushing practice but the apps were installed more than 17 million times. 

"The number of potential users impacted by these findings is in the hundreds of millions," the researchers said, urging regulators and platform providers to adopt better tools to monitor the behavior of the apps.

"These deceptive practices allow developers to access users' private data without consent, undermining user privacy and giving rise to both legal and ethical concerns."