A security researcher has developed an application that demonstrates how sensitive data can be stolen from Android phones without user permission.
The application can access contents of a phone's SD card, tap into app data and upload sensitive data without requiring permissions- access rights to phone contacts, data and communications.
“It's trivial for any installed app to execute these actions without any user interaction,” Leviathan Security consultant Paul Brodeur said in a blog post.
The No Permissions application contained three buttons that demonstrated the weaknesses in the permission system. One button could return a list of visible files stored on a phone's SD card such as photos, backups and configuration. Using the app Brodeur found OpenVPN certificates on his storage card.
The steal app data function exposed installed application data by retrieving a packages.list file. Further inspection revealed sensitive data which those applications may access, and potential vulnerabilities in those apps.
“When testing on a real device, I am able to read some files belonging to other apps. This feature could be used to find apps with weak-permission vulnerabilities.”
The app also harvested identifiable device information including the GSM & SIM vendor IDs, kernel version and possibly the type of custom ROM installed, and the fixed 64-bit Android ID number. It could not read the device IMEI or IMSI numbers without requesting the 'phone state' permission.
The third button allowed data to be uploaded to the internet by bypassing network restrictions using the call 'intent action view' which opened a web browser.
“In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls.”
Brodeur's work builds on and demonstrates previous research into lax Android permissions. Last year viaForensics built an app that could allow a remote shell to be installed on Android phones. From there attackers could execute commands remotely.
Research and development chief Thomas Cannon said while the permissions system was “a fantastic idea” that was “generally well implemented” he said it lulled users into a false sense of security.
“There are multiple controls in Android and its ecosystem that protect a user and their device, but one should not automatically assume that installing an app, even if it requires no permissions, is safe,” Cannon wrote in a blog post.
A team of security researchers at Defcon 18 in 2010 had also detailed weaknesses in the permission system (pdf).
Brodeur's application can be downloaded as an apk installation file and in source code.
Copyright © SC Magazine, Australia
Issue: 347 | March 2016