When it works, Android’s app permissions are awesome.

They’re straightforward and easy to understand.

When you install a new app on your phone, you’ll get a popup box that gives you a summary of what permissions the app says it needs. Then, you have the option to either accept or deny it that permission.

Sometimes, the app winds up working fine, even if you deny it the permission.  But sometimes (like in the case of a map or direction app where you don’t allow it access to geolocation data), it won’t work at all.  By and large though, the system works as intended and it gives you a fair amount of control over which apps have what permissions.

Unfortunately, things are not always as they seem.  Researchers from UC Berkeley’s International Computer Science Institute recently tested 88,000 apps from the Google Play Store. They found 1,325 instances where apps continued to collect information even after users denied them the permission to do so.

The researchers had this to say about their findings:

“Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources.  However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels.

Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission, whereas covert channels enable communication between two colluding apps, so that one app can share its permission-protected data with another app lacking those permissions.”

To cite one example, the researchers discovered that the photo sharing website Shutterfly (which is commonly used for sharing and editing photos) collects GPS data from mobile phones and sends it to its own servers. That is even if users have declined the app permission to access location data.

The report estimates that based on the number of apps found to be circumventing permissions, the number of users being impacted are likely in the hundreds of millions. Even worse, there are no easy fixes for this problem.  Be aware then, that the apps you’re using are likely collecting more data about you than you realize, even if you’ve told them not to.