Researchers from UC Berkeley’s International Computer Science Institute (ICSI), which produced the research, tested 88,000 apps from the U.S. Google Play Store, and found that 1,325 apps collected information regarding geolocation data and phone identifiers. The study published on the Federal Trade Commission (FTC) website cited 153 apps, including Samsung Health, Samsung’s Browser, Shutterfly and Disney’s Hong Kong Disneyland park app that collected data without explicit permissions. “Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources. However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels,” wrote the researchers in an extensive report. “Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions. Both pose threats to user privacy.” For instance, the researchers found Shutterfly – the photo-sharing website used for editing photos – to be collecting GPS data from mobile phones and sending it to its own servers, irrespective of whether users have allowed or declined the app permission to access location data. “Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement,” the company said in a statement responding to the study clarifying that it only collects GPS data on those that give it permission. In the case of Hong Kong Disneyland, it was found the app used SD card as a covert channel to store phone’ IMEI information. Although 13 apps were found to be exploiting this covert channel to get the IMEI information, these apps were installed more than 17 million times. “The number of potential users impacted by these findings is in the hundreds of millions. These deceptive practices allow developers to access users’ private data without consent, undermining user privacy and giving rise to both legal and ethical concern,” the researchers wrote. “Data protection legislation around the world—including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) and consumer protection laws, such as the Federal Trade Commission Act—enforce transparency on the data collection, processing, and sharing practices of mobile applications.” The researchers who had reported their findings to Google in September last year say that some of them may be fixed in the upcoming Android Q operating system scheduled to release this year. This means that several older smartphone users who don’t receive the Android Q updates will continue to face the problem leaving their handsets vulnerable. “By uncovering these practices and making our data public, we hope to provide sufficient data and tools for regulators to bring enforcement actions, industry to identify and fix problems before releasing apps, and allow consumers to make informed decisions about the apps that they use,” the researchers said. The researchers suggest that Google should consider these privacy issues as serious security vulnerabilities and need to upgrade the way permissions function.