How Android Apps, Zoom, and Didi Expose Major Security and Privacy Gaps

Android apps can collect location and identifier data despite denied permissions

Researchers analyzed more than 1,000 Android applications and discovered that many continue to obtain precise GPS coordinates and phone identifiers even after users explicitly deny the corresponding permissions. The apps achieve this by exploiting side‑channel mechanisms such as the camera permission: when the camera is allowed, the app can capture photos, read the EXIF metadata that contains location information, and then delete the image. Other techniques involve indirect system calls that retrieve location data through network or sensor APIs that are not protected by the permission model.

Key observations:

Over 1,000 apps were identified that harvest location or device identifiers without the LOCATION permission.

The most common bypass uses the CAMERA permission to obtain photos with embedded GPS tags.

Some apps combine allowed permissions (e.g., storage, network) to reconstruct location from Wi‑Fi or cell‑tower data.

These findings highlight a gap in Android’s runtime‑permission framework and demonstrate that denying a permission does not guarantee privacy when other related permissions remain granted.

Zero‑day vulnerability in Zoom for macOS enables website‑initiated video calls

A security researcher disclosed a critical zero‑day flaw in the Zoom client for macOS. The vulnerability allows any website visited on a Mac that has Zoom installed to programmatically start a video call without user interaction, effectively granting the site control over the camera and microphone.

Technical details:

The exploit leverages Zoom’s custom URL scheme (e.g., zoommtg://) that can be invoked from JavaScript without prompting the user.

When the URL is opened, Zoom automatically joins a meeting and activates the video feed.

No additional permissions or user confirmations are required, bypassing macOS’s privacy prompts.

Mitigation recommendations include disabling the Zoom URL scheme, updating to a patched version (once released), or removing Zoom from the system if not needed.