Thousands of apps in the U.S. Google Play Store still bypass permissions to collect user data, according to findings from a recent study that reinforces concerns over the ways companies manage and protect user privacy.
The study, which tests 88,000 apps, was released by the nonprofit research center International Computer Science Institute, and partner University of California, Berkeley. Among the vulnerabilities, it found about 60 Android apps that had been downloaded millions of times stealing information by working around restrictions and taking data without permission.
The study — 50 Ways to Leak Your Data — also suggests that Android permissions make it difficult to track how apps share information and under what circumstances, even when users agree to share data. The researchers took the findings to Google, which said the next big update, Android Q, will address the problem later this year.
The study found numerous deceptive practices, including third-party libraries provided by Baidu and Salmonads that independently make use of the SD card as a covert channel.
When an app can read the phone’s international mobile equipment identity number, it stores it for other apps that cannot. The research found 159 apps with the potential to exploit this covert channel, and empirically found 13 apps doing so.
Long-term blatant theft of consumer data in apps will no doubt have a major influence on other data strategies that advertisers use in real-time ad bidding and targeting.
The UK's data protection authority, known as the Information Commissioner's Office, published a report detailing how real-time advertising auctions violate the European Union's General Data Protection Regulations that took effect last year.
The report -- published by the organization last month, and cited by MediaPost in June andThe Wall Street Journal last week -- said the ad auctions involve the collection and distribution of sensitive data about users such as race, sexuality, political affiliation, and health status -- all without their consent.
Most recently, Facebook changed its targeting options for certain markets based on civil rights audits. The system restricts ad-targeting options for jobs, housing, or credit opportunities to help guard against discrimination or misuse.
The WSJ reports that privacy activists in at least six countries have filed complaints about real-time ad auctions, including Belgium, Poland, the Netherlands, and Spain.
It’s just a matter of time until these practices change online advertising and influence data protection legislation worldwide from GDPR in Europe to the California Consumer Privacy Act (CCPA) and consumer protection laws, such as the Federal Trade Commission Act.