[ad_1]
Security researchers have tracked more than 1,300 apps in Google's Play Store to collect unauthorized user data by bypbading Android's built-in application permissions management. […]
Google has authorized the manual management of application permissions from Android version 6. Users can define exactly which applications access location data, the camera and other information. However, as found by an international team of researchers, many Android applications from the official Play Store bypbad this rule and access personal information without the consent of the user.
Overall, security experts have discovered more than 1,300 apps that specifically bypbad the permissions of Android apps. Applications retrieve the data they are looking for through communication with other applications that have the necessary rights or use the metadata contained in the media to extract information. For example, many users store location data in image files. In addition to location information, these two methods can also be used to collect device information (IMEI), WLAN connections, or the MAC address of your home router.
One of the most notable applications encountered by researchers is Samsung's Health App App and Samsung's Internet Browser. Both apps are promoted in the Play Store with over 500 million installations.
The results of the investigation were sent to Google and rewarded by the manufacturer of Android by an unspecified premium on Bug Bounty. The complete development of the researchers titles 50 ways to disclose your data and is freely accessible.
With the next Android Q, the bugs need to be fixed, which allows unauthorized data recovery. In addition, Google extends application authorization management in Android Q for temporary access to active applications. This can be used to specify that a navigation application can only access the location when the application is actually called. Secret data collection in the background should be prevented.
Source link
