All smartphones are data collection machines; hopefully everyone understands that. There are an amazing number of sensors on the device and many apps just ask for everything. If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.
Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.
Some of these apps are mainstream apps. For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.
Does this mean that they are hacking the phone? No, it means that they have figured out how to finesse the system.
Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up. For example, in older versions of Android do not protect individual data on external storage. If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.
If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.
With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.
Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application. That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).
This is not limited to one operating system. As they say, if the app is free, then you are the product.
As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.
Source: The Hacker News.