(CNN) — When you deny a mobile app permission to collect personal data from your phone, it’s reasonable to expect it abides by that. But a new study of popular Android apps found that’s not always the case.
Thousands of popular apps from the Google Play Store are able to bypass permissions to collect user data, according to the nonprofit research center International Computer Science Institute, which partners with University of California, Berkeley. The apps work around restrictions by finding “side channels” or “covert channels” such as taking data from apps that do have those permissions, potentially affecting hundreds of millions of Android users.
Researchers found roughly 60 Android apps, which have been downloaded millions of times, are already doing this. Many others are built with code that could allow them to do the same.
The study also points out that Android permissions make it difficult to track how an app will share the information and under what circumstances, even when users do agree to share data.
“These deceptive practices allow developers to access users’ private data without consent, undermining user privacy and giving rise to both legal and ethical concerns,” the researchers wrote.
The researchers contacted Google about what they found, and the company paid them a bug bounty. Google says the issues will be addressed in the next bigAndroid update, called Android Q, that is expected later this year.
The study was sponsored by the US National Security Agency’s Science of Security program, the Department of Homeland Security and the National Science Foundation, among others, and was presented at the Federal Trade Commission’s PrivacyCon event last week.
Researchers downloaded and analyzed the most popular apps in each category of the Google Play Store, 88,000 in total.
In some cases, apps with permission to access information like location data stored it on the phone’s SD card, where apps without proper permissions could access it.
In other cases, users may have technically given the app access to the data without understanding exactly what they were agreeing to. For example, photos often include metadata such as the time and location where they were taken, meaning an app could view a user’s location even if it didn’t have permission.
“We note that these exploits may not necessarily be malicious and intentional,” the researchers wrote.
Google says photo location information will be hidden by default from apps that request photos on Android Q, unless developers specify on the Google Play Store whether their app is capable of accessing a photo’s location. The update will also require apps that gather wifi access point information (which researchers say is de facto location data) to have location permissions. Apple also recently announced it was cracking down on apps using wifi and Bluetooth connections to gather location data in its next iOS update.
The study reinforces concerns over the ways Big Tech companies manage and protect (or fall short of protecting) user privacy. Google CEO Sundar Pichai said at a December Congressional hearing that the company does collect a large amount of user data and offers tools for users to determine how much of their information they allow Google and applications on the Android operating system to collect. However, he has conceded that the company could be doing more.
“I don’t think users have a good sense for how their data is being used, I think we’ve put the burden on users to a large extent,” Pichai told CNN’s Poppy Harlow last month. “I think we need a better framework where users get that comfort that they are in control of their data, how it’s used.”
