You could admire the tenacity if it didn’t come with such trickery: After years of effort by Google to stop Android apps from scanning users’ data without permission, app developers keep trying to find new work-arounds to track people.
A talk at PrivacyCon, a one-day conference hosted by the Federal Trade Commission last Thursday, outlined a few ways apps are prying loose network, device, and location identifiers.
Officially, apps generally interact with Android through software hooks known as APIs, giving the operating system the ability to manage their access. “While the Android APIs are protected by the permission system, the file system often is not,” said Serge Egelman, research director of the Usable Security and Privacy Group at the University of California at Berkeley’s International Computer Science Institute. “There are apps that can be denied access to the data, but then they find it in various parts of the file system.”
In a paper titled ‘50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System,’ Egelman and fellow researchers Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, and Narseo Vallina-Rodriguez outlined three categories of exploits discovered through an array of tests.
One common target, Egelman explained Thursday, is the hard-coded MAC address of a WiFi network—”a pretty good surrogate for location data.”
The researchers ran apps on an instrumented version of Android Marshmallow (and, later, on Android Pie). Deep-packet inspection of network traffic found that apps built on such third-party libraries as the OpenX software development kit had been reading MAC addresses from a system cache directory. Other apps exploited system calls or network-discovery protocols to get these addresses more directly.
Egelman added that the workings of these apps often made the deception obvious to researchers: “There are many apps that we observed which try to access the data the right way through the Android API, and then, failing that, try and pull it off the file system.”