More than 1,000 Android apps collect data even after denying permissions.

Android app permissions are designed to keep track of how much data your device has left behind. If you do not want a flashlight app to read your call logs, you must be able to deny that access. But even when you say no, researchers have found more than 1,000 apps that have found a way around the problem, allowing them to collect accurate geolocation data and phone IDs behind your back.

The discovery highlights how difficult it is to stay private online, especially if you're connected to your phones and mobile apps. Technology companies have mountains of personal data on millions of people, including where they are, their friends and their centers of interest.

Lawmakers are trying to reduce this to privacy regulations, and app permissions are supposed to control the data you give up. Apple and Google have also released new features to improve people's privacy, but apps continue to find hidden ways to circumvent these protections.

Researchers at the International Institute of Computer Science have uncovered up to 1,325 Android apps that collected data from devices even after explicitly denying them permission. Serge Egelman, director of useable research on security and privacy at ICSI, presented the study to the PrivacyCon of the Federal Trade Commission on June 27.

"Basically, consumers have very few tools and tools that they can use to reasonably control their privacy and make decisions about it," Egelman said at the conference. "If application developers can simply bypass the system, ask consumers permission to obtain meaning is relatively insignificant."

Egelman said researchers informed Google about these issues last September, as well as the FTC. Google said that it would address the problems of Android Q, which should come out this year.

The update will fix the problem by hiding the location information in the application photos and requiring that all applications that access Wi-Fi also have permission to obtain location data, according to Google.

The study examined more than 88,000 Google Play store apps to determine how data was transferred from apps when they were denied permissions. The 1,325 apps that violated Android permissions used code-protected workarounds that would take personal data from sources such as Wi-Fi connections and metadata stored in photos.

The researchers discovered that Shutterfly, a photo editing application, collected GPS coordinates from photos and transmitted them to its own servers, even when users refused to allow the app to access location data.

A spokeswoman for Shutterfly said the company would only collect location data with explicit permission, despite researchers' research.

"Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and custom product suggestions, all in accordance with the Shutterfly Privacy Policy and the Android Developer Agreement" said the company in a statement.

Other applications rely on applications that are allowed to use personal data, retrieving phone IDs such as your IMEI number. These applications read unprotected files on the SD card of a device and collect data to which they are not allowed to access. For example, if you allow other applications to access personal data and store it in an SD card folder, these spyware applications will be able to retrieve the information.

According to the researchers, while there were only 13 applications to do it, they were installed more than 17 million times. This includes applications like the Disneyland Hong Kong Park in Baidu, researchers said.

Baidu and Disney have not responded to requests for comment.

The researchers found that 153 apps have this capability, including Samsung's health and navigation apps, installed on more than 500 million devices.

Samsung has not responded to a request for comment.

Other apps were collecting location data by connecting to your Wi-Fi network and determining the router's MAC address. They found this on apps that worked as smart remotes, which did not need your location information to work.

Egelman announced that he would unveil the details with a list of the 1,325 applications discovered by the researchers during the presentation of the study at the USENIX Security conference in August.