When you explicitly tell an Android app, “No, you don’t have permission to track my phone,” you probably expect that it won’t have abilities that let it do that. But researchers say that thousands of apps have found ways to cheat Android’s permissions system, phoning home your device’s unique identifier and enough data to potentially reveal your location as well.

Even if you say “no” to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. The two apps might not seem related, but researchers say that because they’re built using the same software development kits (SDK), they can access that data, and there’s evidence that the SDK owners are receiving it. It’s like a kid asking for dessert who gets told “no” by one parent, so they ask the other parent.

According to a study presented at PrivacyCon 2019, we’re talking about apps from the likes of Samsung and Disney that have been downloaded hundreds of millions of times. They use SDKs built by Chinese search giant Baidu and an analytics firm called Salmonads that could pass your data from one app to another (and to their servers) by storing it locally on your phone first. Researchers saw that some apps using the Baidu SDK may be attempting to quietly obtain this data for their own use.

Covert channels and side channels

That’s in addition to a number of side channel vulnerabilities the team found, some of which can send home the unique MAC addresses of your networking chip and router, wireless access point, its SSID, and more. “It’s pretty well-known now that’s a pretty good surrogate for location data,” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.

The study also singles out photo app Shutterfly for sending actual GPS coordinates back to its servers without getting permission to track locations — by harvesting that data from your photos’ EXIF metadata — though the company denied that it gathers that data without permission in a statement to CNET.

There are fixes coming for some of these issues in Android Q, according to the researchers, who say they notified Google about the vulnerabilities last September. (They point to this official Google page.) Yet, that may not help the many current-generation Android phones that won’t get the Android Q update. (As of May, only 10.4 percent of Android devices had the latest Android P installed, and over 60 percent were still running on the nearly three-year-old Android N.)

The researchers think that Google should do more, possibly rolling out hotfixes within security updates in the meantime because it shouldn’t just be newer phone buyers who get protection. “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here,” said Egelman.

Google declined to comment on the specific vulnerabilities, but it confirmed to The Verge that Android Q will hide geolocation info from photo apps by default, and it will require photo apps to tell the Play Store whether they’re capable of accessing location metadata.