Jump to content

Major Android vulnerability gives apps access to sensitive data without permission


Recommended Posts

Posted

Sad-Android-Robot110.jpeg

The security of the Android mobile platform has always been a topic of debate. Due to Google’s open ecosystem and less invasive app policing policies, researchers argue that the Google Play marketplace is home to numerous malicious apps. Reports have surfaced over the past few years that claimed even applications from legitimate companies — such as Facebook, Skype and Path — were exploiting Android permissions and secretly accessing data. Paul Brodeur of Leviathan Security had a simple question: what data can an app access when it has no permissions? What he found may be shocking.

Brodeur created a special Android application that explores what data can be harvested from a device when the app has no permissions. The researcher found that his application was able to access the SD card, various system information and unique handset identification data. Access to the SD card provided Brodeur with information to all files that were not hidden, including photos, backups and any external configuration files. He states, however, that “while it’s possible to fetch the contents of all those files, I’ll leave it to someone else to decide what files should be grabbed and which are going to be boring.”

The second slew of information the application was able to access was located in the /data/system/packages.list file, which allowed the software to determine what apps are currently installed on a device. Brodeur was also able to scan each installed application’s directory to determine whether sensitive data could be read and accessed. This feature could be used by malware in an attempt to find apps with weak-permission vulnerabilities.

The last piece of information Brodeur’s application was able to gather regards a handset’s identifiable information. Without the “PHONE_STATE” permission, an application is not able to read the International Mobile Equipment Identity (IMEI) or International Mobile Subscriber Identity (IMSI). With no permissions, however, Brodeur’s app was still able to access the GSM and SIM vendor IDs. The researcher was also able to access the /proc/version pseudofile, which reveals the kernel version, Android ID and name of the custom ROM installed, if there is one.

Brodeur cautions Android users about suspicious applications, claiming any installed app can execute these actions without any user interaction or permissions. The researcher goes on to note that even without an Internet permission, he was able to use something called the URI ACTION_VIEW Intent to open a browser and export any collected data.

The researcher’s application was tested on Android 4.0.3 Ice Cream Sandwich and Android 2.3.5 Gingerbread.

Read

fYg3DGo_3mY

 

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.