When you ban the permission of an APP in the Android phone, you will take it for granted that the application does not monitor your location, but the researchers said that thousands of applications have found fraudulent Android rights management. The method of these applications will quietly send the unique identification code of the mobile phone and enough positioning data to its own server to achieve the positioning of the user.
How do these applications get positioning data? The researchers said that although you have disabled access to an application, the application can request location information from other applications that have been authorized to obtain location information. Some applications even directly store the acquired location information in shared storage. The researchers say this is because they are built using the same software development kit (SDK), so they have their own rules to share location information, and there is evidence that the SDK owners are receiving the positioning they get.
According to a study published on PrivacyCon 2019, an SDK development kit developed by a company called Salmonads first stores user data locally and then shares user data from one application to another.
In addition, the team also found a number of side-channel vulnerabilities, some of which can send some unique identification codes such as the MAC address of the user’s network card, router access point, SSID, etc. to their own servers. Serge Egelman, research director of the International Computer Science Institute (ICSI) Security and Privacy Group, said at the PrivacyCon show that these unique identifiers are a good alternative to location data. The data can be used indirectly to achieve positioning.
According to the researchers, they notified Google of this vulnerability in September last year and the issue will be fixed in Android Q. However, this may not be helpful for most devices that do not have an Android Q update.
Researchers believe that Google should do more and introduce patches in security updates because it shouldn’t just protect new phone buyers and ignore old users. “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here,” said Egelman.