Skip to main content

A thousand Android apps use a loophole to share data without permission

(Image credit: Image Credit: CyberHades / Flickr)

More than a thousand Android apps have been sharing personal user data with third parties, often without (or even before being granted) explicit permission from the user.

They were allowed to do so through a loophole in the system, which means app developers essentially circumvented permission setup on the device.

This was showcased during a presentation at the PrivacyCon. The presentation showed that even large companies like Disney used this loophole. It revolves around the Software Development Kit, or SDK, which was originally built by the Chinese search giant Baidu.

The SDK allows developers to build pretty much anything without having to start from scratch. Unfortunately, that SDK also allowed apps to share data between themselves, even before the user gets prompted for permission.

So which data got shared? MAC addresses, and internet connection details. This data allows the information holder to pinpoint the exact location of the user, without GPS. To add insult to injury, some apps straight up shared GPS data.

According to The Inquirer, the upcoming Android version, Q, should resolve some of these problems. MAC addresses sent will be randomised, while the frequency will no longer be useful to identify shared contacts. GPS coordinates won’t be embedded in photos by default.

But Android is an OS used by many different manufacturers, not all of whom are fast enough when it comes to upgrading to the latest version. This means that even when Android Q moves out of beta and gets released, it could take quite some time before all Android users get it.