A Case Study of Intra-library Privacy Issues on Android GPS Navigation Apps

TL;DR

This study investigates privacy risks in Android GPS navigation apps, revealing how they access and potentially leak personal data, including intra-library collusion issues that could be exploited without user consent.

Contribution

It provides an analysis of privacy vulnerabilities in GPS apps, highlighting intra-library collusion and data leakage risks in the Android ecosystem.

Findings

GPS apps access multiple device data types

Apps may leak personal data to third parties

Intra-library collusion can be exploited for data gathering

Abstract

The Android unrestricted application market, being of open source nature, has made it a popular platform for third-party applications reaching millions of smart devices in the world. This tremendous increase in applications with an extensive API that includes access to phone hardware, settings, and user data raises concerns regarding users privacy, as the information collected from the apps could be used for profiling purposes. In this respect, this paper focuses on the geolocation data and analyses five GPS applications to identify the privacy risks if no appropriate safeguards are present. Our results show that GPS navigation apps have access to several types of device data, while they may allow for personal data leakage towards third parties such as library providers or tracking services without providing adequate or precise information to the users. Moreover, as they are using third-party libraries, they suffer from the intra-library collusion issue, that could be exploited from advertising and analytics companies through apps and gather large amount of personal information without the explicit consent of the user.