Not only FaceApp: thousands of applications spy even if they are denied permission


Almost 13,000 ‘apps’ circumvent Android permissions to collect user data.

The case of FaceApp, the application that uses artificial intelligence to age a face and show a realistic image, has put the spotlight on a common aspect in which few users repair. When installed, it is warned that all our data will be used and even transferred to third parties, so that control is lost. In this case, a process is warned that few users read or accept without thinking about the consequences. But some mobile programs may not even need explicit consent. Thousands of applications circumvent the limitations and spy, even if they are not authorized.

Why does the mobile flashlight need to access a user’s location? And a photo retouching application to the microphone? Or a recorder to the contacts? In principle, these apps do not require this type of permission to operate. When they access them, it is usually in search of an extremely valuable asset: the data. Users can give or deny different permissions to applications to access their location, contacts or files stored on the phone. But an investigation by a team of experts in cybersecurity has revealed that up to 12,923 apps have found a way to continue collecting private information despite denying them explicitly the permissions.

This study highlights the difficulty of users to safeguard their privacy. Researchers from the International Institute of Computational Sciences (ICSI) in Berkeley, IMDEA Networks Institute of Madrid, the University of Calgary and AppCensus have analyzed a total of 88,000 applications from the Play Store and have observed how thousands of applications access information such as the location or Terminal data that the user had previously denied.

The experts have not yet made public the full list of apps that perform these practices. But according to the investigation, they are among them the application of the Disneyland park in Hong Kong, the browser of Samsung or the Chinese search engine Baidu. The number of potential users affected by these findings is “hundreds of millions.”

Borja Adsuara, expert lawyer in digital law, assures that it is a “very serious infraction” because the Android operating system requires that the apps ask for consented access to this data through permissions and the user expressly says no. Consent, he explains, works in a very similar way in both physical and non-physical intimacy-personal data. “It’s like in the case of a rape in which the victim expressly says no,” he says.

Narseo Vallina-Rodríguez, co-author of the study, points out that “it is not clear if there will be patches or updates for the billions of Android users that today use versions of the operating system with these vulnerabilities.” Google has not specified this newspaper if you plan to withdraw from the market or take any action in relation to the applications that, according to the study, access the users’ data without the relevant permission, however, you have assured that the problem will be solved with Android Q, the next version of its operating system The company intends to launch six beta versions throughout the year before announcing the final version during the third quarter of the year.

How do the applications access the user’s private information without the necessary permissions? The apps circumvent the control mechanisms of the operating system through the side channels and the covert channels. Vallina makes the following comparison: “To enter a house [the user’s data] you can do it through the door with the key that the owner has given you [the permit], but you can also do it without the consent of the owner taking advantage of a vulnerability of the door [a side channel] or with the help of someone who is already inside [covert channel] “.

You can open a door with a key, but you can also find a way to do it without having that key. ” The same happens when trying to access the geolocation of a terminal. You may not have access to the GPS, but find a way to access the user’s positioning information.


One way to do this is through the metadata that are integrated into the photographs taken by the owner of the smartphone, according to Vallina. “By default, each photograph taken by an Android user contains metadata such as the position and time they have been taken in. Several apps access the historical position of the user asking for permission to read the memory card, because that is where they are stored the photographs, without having to ask for access to the GPS, “he says.This is the case of Shutterfly, a photo editing application.The researchers have verified that it collected GPS coordinates information from the images of the users despite the fact that They would have denied him permission to access his location.

It is also possible to access the geolocation through the Wi-Fi access point with the MAC address of the router, an identifier assigned by the manufacturer that can be correlated with existing databases to find out the user’s position “with a fairly accurate resolution”.

So that the application can access this information, there is a permission that the user must activate on his smartphone called “wifi connection information”, according to Vallina. But there are apps that get this data without permission being activated. To do this, they extract the MAC address of the router that the terminal obtains through the protocol ARP (Address Resolution Protocol), which is used to connect and discover the devices that are in a local network. That is, applications can access a file that exposes the MAC information of the Wi-Fi access point: “If you read that file that the operating system exposes without any type of permission, you can know the geolocation in a totally opaque way for the user”.

Third-party libraries
Many of these data leaks or abuses of user privacy are made by libraries, which are services or mini-programs of third parties included in the application code. These libraries are executed with the same privileges as the app in which they are located. On many occasions, the user is not aware that they exist. “Many of these services have a business model that is based on obtaining and processing personal data,” says the researcher.

For example, applications like the Hong Kong Disneyland Park use the map service of the Chinese company Baidu. In this way, they can access without having to have any permission to information such as the IMEI and other identifiers that the Chinese search libraries store on the SD card. Samsung’s health and navigation applications, which are installed on more than 500 million devices, have also used this type of libraries for their operation. “The library itself exploits those vulnerabilities to access that data for its own purposes. It is not clear if then the developer of the app accesses that data through the library, “he explains.

Vallina says that in the next research they will analyze the ecosystem of third-party libraries and for what purposes the data is obtained. They will also study the monetization models that exist in Android and the transparency of the applications in terms of what they do and what they say they do in privacy policies. To avoid this type of practice, the co-author of the Joel Reardon study points out the importance of carrying out research of this type with the aim of “finding these errors and preventing them”.

If application developers can circumvent permissions, does it make sense to ask users for permission? “Yes,” replies blunt Reardon. The researcher emphasizes that applications can not circumvent all control mechanisms and that little by little they will have it more difficult. “The permit system has many failures, but still serves and pursues an important purpose,” he says.

Responsibility of the developers
These practices carried out without the consent of the users fail, among other regulations, the General Regulation of Data Protection (RGPD) and the Organic Law of Data Protection. The developers of these applications could face, according to the RGPD, economic sanctions of up to 20 million euros or 4% of the company’s annual turnover. And they could even constitute a crime against privacy (article 197 of the Penal Code) that could lead to prison sentences, according to Adsuara.

The lawyer argues that most of the responsibility lies with the developers. But he believes that both the Google Play and Apple Store stores and the platforms that give applications access to their users’ data – like Facebook in the Cambridge Analytica case – have a responsibility in monitoring: “That is, the duty of monitor that the applications that they accept in their store or to those that give access to the data of their users in their platform are safe

Notify of
Inline Feedbacks
View all comments