If you’re using an Android phone, you’ve definitely seen apps asking for permissions when you run them for the first time. If you’ve said no to any of them, you’d think that the app would leave it at that. But as it turns out, thousands of apps area capable of working around Android’s permissions system and collect data to be sent back home anyway.
Researchers have found that even if you deny an app certain permissions, another app that was granted permissions will be able to pass it on to the one that was denied. Even if the two apps are unrelated, this will be possible if they’re made using the same software development kit (SDK).
According to The Verge, the study was presented at PrivacyCon 2019, where the researchers point to apps made by Samsung and Disney. They use SDKs made by from Chinese tech company Baidu and an analytics firm called Salmonads. Apps made using this SDK could pass your data among themselves, and to their home servers, as long as at least one of them has received the necessary permissions.
The researchers say that they’ve notified Google about these issues last September. For what it’s worth, the fix for some of these vulnerabilities will come with Android Q. But the researchers think that Google should do more, by rolling out hotfixes within security updates.
(Source: The Verge)