Android security is heavily focused on app permissions, using a modular system of rights to let users know just what kind of access they’re granting to an app they install. Admittedly, most of us tend to breeze through that list of permissions for most apps, and only really give it a second consideration when we already have cause to be concerned about an app’s intentions. Some new research to come to light raises the question of just what these permissions aren’t covering. That is, what shenanigans could a malicious app get into even when it doesn’t request any permissions at all?
The common sense assumption would be that a zero-permission app would be cut-off from the world, not able to interact with data from other apps, and certainly not able to transmit data over the internet. As it turns out, though, there’s quite a bit you can get away with without needing any user-granted permissions.
Security researcher Thomas Cannon cooked-up an app without any permissions to see just what information Androids phones make available. His app could access the directory structure of the phone’s SD card, as well as reading the files themselves. That data can give a lot of clues about what other apps are installed, but there’s an even more direct way to access that information, and again, it can be done without even one permission.
While Android security prevents apps like this from getting personally-identifying information like the phone’s IMEI number, they can still learn a lot about your phone, including any custom ROM you might happen to be running.
The good news is that this data is mostly of little consequence to attackers, with the exception of what’s revealed by that SD card access, depending on just what you have stored there. The bad news is that even without internet permissions, it’s still possible for an app to ferry data off your phone using custom-formed URLs passed to the Android browser. These issues persist across multiple Android branches, affecting both Gingerbread and Ice Cream Sandwich builds.