Android concept app exposes sensitive data

By Darren Pauli on Apr 12, 2012 7:51 AM
Filed under Security

Application bypasses permissions to steal SD and app data.

A security researcher has developed an application that demonstrates how sensitive data can be stolen from Android phones without user permission.

The application can access contents of a phone's SD card, tap into app data and upload sensitive data without requiring permissions- access rights to phone contacts, data and communications.

The No Permissions app

“It's trivial for any installed app to execute these actions without any user interaction,” Leviathan Security consultant Paul Brodeur said in a blog post.

The No Permissions application contained three buttons that demonstrated the weaknesses in the permission system. One button could return a list of visible files stored on a phone's SD card such as photos, backups and configuration. Using the app Brodeur found OpenVPN certificates on his storage card.

The steal app data function exposed installed application data by retrieving a packages.list file. Further inspection revealed sensitive data which those applications may access, and potential vulnerabilities in those apps.

“When testing on a real device, I am able to read some files belonging to other apps. This feature could be used to find apps with weak-permission vulnerabilities.”

The app also harvested identifiable device information including the GSM & SIM vendor IDs, kernel version and possibly the type of custom ROM installed, and the fixed 64-bit Android ID number. It could not read the device IMEI or IMSI numbers without requesting the 'phone state' permission.

The third button allowed data to be uploaded to the internet by bypassing network restrictions using the call 'intent action view' which opened a web browser.

“In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls.”

Brodeur's work builds on and demonstrates previous research into lax Android permissions. Last year viaForensics built an app that could allow a remote shell to be installed on Android phones. From there attackers could execute commands remotely.

Research and development chief Thomas Cannon said while the permissions system was “a fantastic idea” that was “generally well implemented” he said it lulled users into a false sense of security.

“There are multiple controls in Android and its ecosystem that protect a user and their device, but one should not automatically assume that installing an app, even if it requires no permissions, is safe,” Cannon wrote in a blog post.

A team of security researchers at Defcon 18 in 2010 had also detailed weaknesses in the permission system (pdf).

Brodeur's application can be downloaded as an apk installation file and in source code.

Follow us on Facebook and Twitter

Copyright © SC Magazine, Australia


Android concept app exposes sensitive data
Top Stories
JB Hi-Fi enterprise services head departs in reshuffle
Retailer "streamlines management".
Synnex Australia wins MYOB distribution deal
First accounting software vendor to sell via distie cloud portal.
Sign up to receive CRN email bulletins
Meeting which tech founder would leave you most starstruck?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.