Researchers warned thousands of apps have the ability to circumvent Android’s permissions system and gain access to sensitive user information.

A study of more than 88,000 Android apps by University of California Berkeley found nearly 13,000 contain the code necessary to gain unauthorised access to user information. The research team also detected around 60 apps which were actively using various workarounds.

Serge Egelman, a research director at the university’s International Computer Science Institute, presented the findings at a recent privacy-focused event held by the US Federal Trade Commission.

He noted the most common way apps get around Android’s permissions structure is by mining a device’s file system for information.

“While the Android APIs are protected by the permission system, the file system often is not. So there are apps that can be denied access to the data but then they find it in various places on the file system, which they have full access to.”

Egelman flagged Wi-Fi network data as a key target, as it can provide a surrogate for location information which has otherwise been denied. Though location data including GPS coordinates and Wi-Fi network addresses are protected by Android permissions, he said the latter is also stored on the device’s file system.

“What this means is there are situations where the user might have been prompted explicitly to grant user location data to the app, they decline and then the app reads that information off the file system instead.”

Threat level
He said while the number of apps exploiting this particular vulnerability is relatively small, the user base for these apps is “in the billions”.

Egelman said Google promised to close such loopholes in its forthcoming Android Q release after researchers shared their findings with the company. But, he noted Android Q will only be available to users of newer devices, leaving the “vast majority” of users vulnerable.