It’s hard to keep your location and other personal data private when you’re carrying a smartphone around all day. Even if you’re aware of the privacy concerns that come along with smartphone apps, they don’t always make it easy to disable features that collect your data. And sometimes apps siphon your information even when you’ve explicitly told them not to.
A recent study found that over 1,300 Android apps quietly collect location data and other information even when your privacy settings specifically prohibit it. To avoid your privacy permissions, these apps use workarounds to access your data in unusual ways. Instead of using Android’s location services — which apps must have permission to access — these sneaky apps track you using less obvious means.
Apps may check the geolocation attached to your photos or monitor which Wi-Fi networks you’re connected to in order to determine your location. Apps can also collect device information that can identify your specific phone, then pass that information on to advertisers — who can then collate data about your behavior from multiple apps. Some apps are even sneakier, and circumvent your privacy settings by collecting restricted information from apps on your phone that do have access to that data. In short, there are lots of ways an app can access your private information without your permission — even though most of these methods are against Google’s policies.
What the apps are doing with this information isn’t necessarily nefarious: it’s primarily used to target advertisements. However, the data could be used for nefarious means, particularly because we don't know app-makers have it or how they use it. Apps that quietly track your location data know where you are with a fair degree of accuracy all the time — and if you don’t allow them to access your location data, you clearly don’t want them to.
While these 1,300 apps are just a small portion of the millions of apps available on the Google Play Store, some of the apps using these workarounds are extremely popular. For example, researchers found that Shutterfly — one of our favorite apps for creating photobooks — collects GPS information from your photos and sends them back to its servers, regardless of whether it has access to your location data. (If you don't want to share your location data with apps along with your photos, make sure you turn off Location Services for your camera app. Most camera apps store location data in what's called EXIF data. This lets you can view photos based on location through your gallery. If you want to know more, Consumer Reports has a good overview of what personal information is leaked through EXIF data.) While Shutterfly was the only app collecting location data from your photos, Samsung’s Health and Browser apps had the ability to collect unique identifying information from your phone — though researchers couldn’t tell if the apps actually made use of that access. All in all, apps that could collect personally identifying information from your phone were installed on over 17 million devices.
Fortunately, Google is aware of these vulnerabilities and will fix them in Android Q, which is likely to be released this August. On top of the bug fixes, Android Q will also update app permissions, letting you lock down your apps more easily. Unfortunately, not all Android phones will be able to upgrade — currently, only 23 smartphones can run the Android Q beta, and further support will be based on what each device manufacturer wants to do. Popular devices include the Google Pixel line of phones and the LG G8.
While we always recommend limiting apps’ access to your data — see Google’s instructions on locking down your app permissions for all the details — that isn’t always enough. Even apps from reputable companies may be collecting more data than you expect. When Android Q is released, you’ll want to install it as soon as possible to help maintain your privacy.
[Image credit: using a smart phone via BigStockPhoto]