OVER A THOUSAND Android apps, some from big names, have been sharing personal user data, even after being denied permissions.
A presentation at this year's PrivacyCon showed that apps from recognised publishers including Disney are running with a method of circumventing Android's permissions to share personally recognisable data to third- parties.
The problem is with the SDK. For non-coders, this is a kind of 'frame' into which you can program whatever you want without having to start from scratch.
In this case, the apps have been built using an SDK by Baidu, the Chinese search giant, in association with an analytics firm called Salmonads. Built into the apps is the ability to run as a kind of 'hive mind', able to pass data between apps, even if you've publicly denied permissions when you installed.
The workaround works as soon as you install an offending app, with the data transfer often taking place before you've opened the app to grant permissions in the first place.
The data being returned include MAC addresses and details of your connection, which can be used to identify you geographically without GPS. Some apps go further, sending actual GPS coordinates back to servers.
Some of these problems will be fixed in Android Q. Amongst them, MAC address transmissions will be randomised and shared contacts will no longer be identifiable by the frequency with which you interact. It will also make sure your GPS coordinates aren't embedded in your photos by default.
The big problem comes with fragmentation. At the moment, Android Q isn't official - that's why it doesn't have a hilarious food-related name yet. We already know that getting users to update, and indeed getting manufacturers to provide updates to their customers' operating systems has always been a problem. After all - Android 9.0 Pie is still rocking less than 11 per cent market share. As such, it's likely that the vast majority of customers' devices will never see the fixes on their devices.
Google isn't speaking about the issue right now, but there are calls for it to act with 'hotfixes' to earlier versions of Android to nip this practice in the bud early doors, because technically, what Baidu's SDKs are doing isn't against any actual rules - just a whole crock of moral ones. μ
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked