Other apps scoop up personal information from other apps that have received permission to obtain it. The apps denied permission access the personal information from unprotected files on an SD card where it is stored by another app granted permission to collect it. While the report says that only 13 Android apps used this technique to steal personal data, these apps were installed over 17 million times and include Baidu’s Hong Kong Disneyland park app. 153 apps are capable of doing this including Samsung’s Health and Browser apps, which are installed on over 500 million devices. Among the personal data that can be stolen with this method is a handset’s unique IMEI number. Other apps connect to a user’s Wi-Fi network to steal location data. These apps obtain the MAC number that can identify the network adapter in Wi-Fi devices. The report notes that apps used as smart remote controls often do this even though there is no legitimate reason for them to have a user’s location data.

The names of the 1,325 Android apps that steal personal data will be made public next month

As an example of how these workarounds are used in real life, the report noted that image publishing app Shutterfly took GPS coordinates from photos and sent that data to its servers even if the user didn’t grant the app permission to obtain his location data. A spokeswoman for the app denied this and said that it collects location data only with a user’s permission.

Egelman says that he will reveal the names of the 1,325 Android apps that collected personal data without permission. This will happen next month when he presents the report again, this time at the Usenix Security conference.