Thousands of Android apps exposed to have vulnerabilities that share data without permission

It has been revealed that more than a thousand Android (Android Q) apps in the app store have been sharing personal user data with third parties without obtaining explicit permission from users.

Investigators said the app developers had exploited a vulnerability in the Android system to circumvent the permissions settings on the terminal device. The vulnerability was demonstrated at the PrivacyCon conference held by the US Federal Trade Commission (FTC).

The investigation found that this vulnerability was deployed through the software development kit (SDK). Although the SDK brought convenience to developers, unfortunately, the SDK allowed the APP to share data privately before the user authorized it. Even big companies like Disney have exploited this vulnerability.

The researchers said that the terminal's MAC address and network connection details will be shared. In addition, the SDK can accurately locate the user's exact location even without GPS, and some apps can even share GPS data directly.

However, the researchers believe that the upcoming Android Q official version may solve some of these problems. The MAC address sent will be randomized, and GPS coordinates will not be embedded in photos by default.

However, given the fragmentation of Android and the fact that system upgrades by various manufacturers are often not timely, if you wait until you use the Android Q version, I'm afraid there will still be a long way to go.