At PrivacyCon 2019 a study was shared in which Android applications are track a user’s position/location even when the specific apps have been denied permissions by the user. The Verge’s article breaks down one way apps with insufficient permissions can still access location data:
“A second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. “
The Verge
The study is worth a read through as it points out how “companies getting the MAC addresses of the connected WiFi base stations from the ARP cache” as well as one app, Shutterfly, that “used picture metadata as a side channel to access precise location information despite not holding location permissions.” The study goes on to specify, “While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user’s location.”
cybersqueeze 