Android apps are ‘secretly colluding’ to share information with one another without asking for permission, new research has found.
This data sharing could lead to security breaches with user location, contact details and other private information at risk.
Apps designed around the personalisation of ringtones, widgets, and emojis are the most at risk, the researchers said.
In a study of more than 100,000 of Google Play’s most popular apps, the team found 23,495 colluding pairs of apps.
Once downloaded, apps can communicate with one another without user permission, and some take advantage of this feature to read personal data.
‘Apps that don’t have a good reason to ask for extra permissions sometimes don’t bother. Instead, they manage to get information through other apps,’ study coauthor Professor Gang Wang, a computer scientist at Virginia Tech University, told New Scientist.
The types of threats arising from app data sharing fall into two major categories, the team said.
User data could be breached using a malware app that is specifically designed to launch a cyberattack, or using normal apps that simply allow for collusion.
In the latter category, it is not possible to know the intentions of the app developer, so collusion – while still a security breach – can in many cases be unintentional, the researchers said.
The analysis is the first ever large-scale and systematic study of how the apps on Android phones are able to talk to one another and trade information.
‘Researchers were aware that apps may talk to one another in some way, shape, or form,’ said Professor Wang.
‘What this study shows undeniably with real-world evidence over and over again is that app behaviour, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone.’
To test different pairs of apps, the team developed a tool called ‘DIALDroid’ to perform a large inter-app security analysis that took 6,340 hours.
‘Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorised apps to gain access to privileged data,’ said coauthor Professor Daphne Yao.
The team studied 110,150 apps over three years including 100,206 of Google Play’s most popular apps.
They also studied 9,994 malware apps from Virus Share, a private collection of malware app samples.
The set-up for cybersecurity leaks works when a sender app colludes with a receiver app to share key information.
This means that a seemingly innocuous app, such as the phone’s flashlight, can share contacts, geolocation, and other private information with malware apps.
The team found that the biggest security risks were some of the least useful apps – software designed for the personalisation of ringtones, widgets, and emojis.
‘App security is a little like the Wild West right now with few regulations,’ said Professor Wang.
‘We hope this paper will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end.
‘We can¹t quantify what the intention is for app developers in the non-malware cases.
‘But we can at least raise awareness of this security problem with mobile apps for consumers who previously may not have thought much about what they were downloading onto their phones.’