Study: more than 1000 applications compile unauthorized data.
The data are the most valuable currency in the digital age: approaching it, despite massive security precautionary measures, in many cases it is not as difficult as we would have expected since the introduction of the DSGVO. One of the greatest dangers is our constant company: smart phones.
Android apps access the data without permission
Anyone who installs an Android application will be shown with a list of the necessary permissions before downloading them. Therefore, the user already knows before the installation what data an application would have access to. But, as a recent study by the International Institute of Computational Science at the U.S. University in Berkeley shows, many Android applications do not comply with this agreement. The study reviewed 88,113 applications of the American offer from the Google Play Store. Of these, a total of 1325 applications accessed the data for which they did not have authorization, including the location and the data that made the device and the user uniquely identifiable.
The study, presented at the end of June, strongly criticized the approach of application developers: "Basically, consumers have very few options and approaches to protect their data and make informed decisions about it," said Serge Egelman, one the authors of the study. "If the application developers can only leave the system, it does not make sense to ask for permission."
The photo app obtains the location of the diversions
The authors of the study informed Google about the gaps they discovered last September. The US company pledged to sink into the next version of Android Q. Among other things, applications will no longer be able to use photos and Wi-Fi data to determine the location without explicit permission. This behavior included the popular Shutterfly photo application, which has been downloaded more than five million times, according to Play Store.
IMEI via SD card
Some applications also spoiled the permissions of other applications. The Chinese advertising platform of Salmonad, for example, stored personal information such as the IMEI, the unique serial number of a smartphone, on the SD card. Even third-party applications could access it without permission to access this data. It was no coincidence: the ad network could track trusted users, even if these individual applications denied the necessary permissions.
At least 13 applications examined used this method, 153 other applications could be technically and contained the corresponding code. This includes, among other things, an application for visitors to Disneyland Hong Kong, Samsung Health and the Samsung navigator. According to Google, Samsung's applications only have more than 500 million downloads and are pre-installed on most of Samsung's smartphones.
Hundreds of millions of users affected by the DSGVO violation
"It is likely that hundreds of millions of users will be affected by these discoveries," the study said. The negligent action of the application developers is especially criticized, since data collected with good intentions can also pose a danger to the user. They also believe that developers have violated applicable US and EU laws with this approach. (Red)