"No-permission" Android apps can access potentially sensitive data on your phone
The bigger problem isn't malicious exploitation, but rather that app developers are "sloppy"
Don't install apps that require too many permissions, and report any suspicious activity
Editor’s Note: Amy Gahran writes about mobile tech for CNN.com. She is a San Francisco Bay Area writer and media consultant whose blog, Contentious.com, explores how people communicate in the online age.
Savvy Android users tend to be wary of installing apps that request seemingly unnecessary permissions. When an app wants access to data or functions on your phone, such as your contacts list or the ability to send text messages, it can signal potential security or malware risks.
But Android apps that request no permissions at all (such as this Magic 8 ball app) are generally considered pretty free of security risks.
But are they?
Earlier this month, a test conducted by the Leviathan Security Group showed that even “no-permissions” Android apps can access potentially sensitive data on your phone – and transmit that data elsewhere via your phone’s Web browser.
Specifically, Paul Brodeur of Leviathan created a test app that requested no permissions and installed it on some Android devices. He was able to scan the phone’s memory card (SD card) and display a list of all non-hidden files on it.
“While it’s possible to fetch the contents of all those files, I’ll leave it to someone else to decide what files should be grabbed and which are going to be boring,” he wrote.
He also could see which apps were installed on the phone, and list some files belonging to those apps. He observed that this might allow nefarious people to find and exploit permission-related vulnerabilities in certain apps. Last year the Skype Android app presented this kind of problem. (Skype fixed that problem.)
And for phones that operate on GSM cell networks (in the U.S., that’s AT&T and T-Mobile), Leviathan’s test app was able to read identifying information about the phone from the SIM card, plus some other information.
Finally, since no-permissions apps can launch the phone’s Web browser, that provides a potential route to transmit some data from the phone.
While Brodeur’s test app was designed to seek out such security lapses. “It’s trivial for any installed app to execute these actions without any user interaction,” he wrote.
While this may sound worrying, don’t panic. What Leviathan discovered probably should concern Android app developers and Google, rather than consumers who use Android phones and tablets.
“What this research found is really little cracks in Android – not great big security holes you could drive a truck through,” said Kevin Mahaffey, co-founder and chief technical officer of Lookout Mobile Security, a leading provider of security apps and services for Android devices. “That’s why this kind of research is so valuable – it ultimately helps make Android more secure.”
According to Mahaffey, the bigger problem is not that people might maliciously exploit these security cracks to steal from users or compromise their phones – but rather that many app developers are “sloppy.”
For instance, developers sometimes build apps that store user data (such as usernames and passwords) in ways that could be easily accessed through the security cracks Leviathan found. Or the app might open the phone’s Web browser to allow functionality that could be handled other ways.
For instance, TheVerge.com reported that the photo gallery that comes pre-installed on Android phones by Samsung, LG, and some other manufacturers stores unencrypted copies of complete addresses associated with photos. They found in a completely unencrypted file “a list of locations which matched those of our home, work, family, significant other, friends, and even holiday destinations.”
These were not GPS coordinates, but rather full addresses: door number, street, town, zip code, and country. TheVerge noted that this address data apparently was generated by Picasa Web Albums. Google acquired Picasa in 2004.
“There is no reason for the application to be caching locations of private photos completely unencrypted,” wrote Aaron Souppouris for The Verge. “This was information that we’d never given Google, either on a phone or within Picasa. To make matters worse, Picasa Web-Album syncing had been switched off a week before the information was found.”
There’s not a lot that the average consumer can do in terms of spotting whether apps are storing unnecessary data in insecure ways.
The best practice is still to notice which permissions apps require before installing them, don’t install apps that seem to require too many permissions, and report to the developer any suspicious activity by an app.
If the developer is not responsive or seems evasive or shady when you report suspicious app behavior, Mahaffey advises alerting Google’s Android security team by sending an e-mail to firstname.lastname@example.org.
“That channel is mainly used by developers, but it’s worth letting them know if you have concerns about an app and you aren’t getting useful responses from the developer,” he said.
The opinions expressed in this post are solely those of Amy Gahran.