Wednesday, April 11, 2012

What Information Can an Android App with No Permissions Access?

Confused AndroidIt’s always a good idea to check the requested permissions when installing an application on your Android phone.

By doing so, you could potentially spot a malicious application before allowing it to sink its teeth into your smartphone and all of the juicy information stored on it.

Aside from smartphone malware, strange permission requests can also hint at the possibility of an app having the potential to stick its nose where it doesn’t belong. An example of that would be when Facebook was accused of using its Android app to spy on user’s text messages. (More on that here.)

But with that comes another question: what can an app with no permissions do?

Surprisingly, Paul Brodeur of Leviathan Security discovered that an app without permissions can pull a list of all non-hidden files on the SD Card, determine what apps are installed on a device (and check if sensitive data can be read from their associated directories), and grab unique identification information about that device.

Brodeur was able to pull the above information after creating a proof-of-concept app, “No Permissions” and testing it against Android 4.0.3 and Android 2.3.5.

In his Monday blog post, Brodeur warned that a good amount of data (photos, backups and any external configuration files) is stored on the SD Card, all of which can be fetched by his permission-less app, which is the perfect scenario for any data-hungry attacker.

Not only that, but with the no-permission app being able to see what apps are installed and see what sensitive data can be read, Brodeur suggested that such a feature can be used to check for apps that have weak permission vulnerabilities that are prime for exploitation.

And although the phone’s IMEI / IMSI are out of reach, Brodeur was able to collect the GSM & SIM vendor ID, along with a file containing the kernel version or custom ROM name (if applicable) and Android ID using his proof-of-concept app.

Of course, how could ANY of the collected data leave the phone without internet permissions?

Well, the URI ACTION_VIEW Intent network call doesn’t require permissions and can be used to open a browser, at which point the data can be passed via GET parameters in a URI. This can be done even if the permission-less app is not in focus (aka not the active app). Sneaky, sneaky.

As always, be careful what applications you install on your smartphone.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment