No Permission Needed: What Android Lets Apps Get Away With


Android security is heavily focused on app permissions, using a modular system of rights to let users know just what kind of access they’re granting to an app they install. Admittedly, most of us tend to breeze through that list of permissions for most apps, and only really give it a second consideration when we already have cause to be concerned about an app’s intentions. Some new research to come to light raises the question of just what these permissions aren’t covering. That is, what shenanigans could a malicious app get into even when it doesn’t request any permissions at all?

The common sense assumption would be that a zero-permission app would be cut-off from the world, not able to interact with data from other apps, and certainly not able to transmit data over the internet. As it turns out, though, there’s quite a bit you can get away with without needing any user-granted permissions.

Security researcher Thomas Cannon cooked-up an app without any permissions to see just what information Androids phones make available. His app could access the directory structure of the phone’s SD card, as well as reading the files themselves. That data can give a lot of clues about what other apps are installed, but there’s an even more direct way to access that information, and again, it can be done without even one permission.

While Android security prevents apps like this from getting personally-identifying information like the phone’s IMEI number, they can still learn a lot about your phone, including any custom ROM you might happen to be running.

The good news is that this data is mostly of little consequence to attackers, with the exception of what’s revealed by that SD card access, depending on just what you have stored there. The bad news is that even without internet permissions, it’s still possible for an app to ferry data off your phone using custom-formed URLs passed to the Android browser. These issues persist across multiple Android branches, affecting both Gingerbread and Ice Cream Sandwich builds.

Source: Leviathan

Via: BGR

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bitsRead more about Stephen Schenck!