Privacy scandal: Thousands of Android apps have been recording everything you do

Patrick Devaney


Permissions are supposed to be a big deal for mobile apps. Our phones are constantly collecting all sorts of data based on what we do with them and apps are only supposed to be able to access that data, if we give them permission. When we say apps here, we also mean the companies behind the apps. They can only access the data we give them permission to access. At least, that is how it is supposed to go.

google play store

More than 17,000 Android apps have been collecting identifying information and creating permanent records

This latest Privacy Scandal has hit the news thanks to research by the International Computer Science Institute (ICSI). The report by the ICSI shows that these apps go against Google’s best practices for app developers and that the data collection methods used straight-up violate Google’s policies on collecting user data for advertising purposes.

The way these apps have been collecting data is by matching various ID numbers with data that is unique to your mobile phone. For example, your Advertising ID may be a resettable number, but your phone’s IMEI, Android ID, and MAC address are much more difficult (if not impossible) to change. Rather than simply taking your advertising ID number, like Google’s guidelines point out, the apps in question have also been pilfering all of the permanent data unique to your device. This makes the data they can send to advertisers much more valuable and takes away what little control you had over your own data.

Screenshots of mobile ad permissions
Image via: Serge Egelman

According to Serge Egelman, who led the research team at the ICSI, “Privacy disappears,” when tech companies act in this way. Egelman also mentioned a few of the 17,000 apps they found to be acting in this way, which included Angry Birds Classic, Audiobooks by Audible, Flipboard, and Clean Master. To show just how far and wide this problem goes, Egelman pointed out that Clean Master alone has been downloaded and installed on over 1 billion devices.

Google has responded to the ICSI’s research, with a spokesperson saying, “We take these issues very seriously… Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We’re constantly reviewing apps — including those listed in the researcher’s report — and will take action when they do not comply with our policies.” The problem Google raised, however, is that it can only enforce its policies when the violating data is sent to its own ad networks. If the data is sent to external ad networks, Google can’t enforce its policies.

Google is working on the problem, but only when it shows itself, which seems like a massive dereliction of duty on the part of the internet giant. If it is unable to enforce its policies properly, what is the point in having them?

For more information on the ICSI report click here.

You may also like