The security of the Android mobile platform has always been a topic of debate. Due to Google’s open ecosystem and less invasive app policing policies, researchers argue that the Google Play marketplace is home to numerous malicious apps. Reports have surfaced over the past few years that claimed even applications from legitimate companies — such as Facebook, Skype and Path — were exploiting Android permissions and secretly accessing data. Paul Brodeur of Leviathan Security had a simple question: what data can an app access when it has no permissions? What he found may be shocking.
Brodeur created a special Android application that explores what data can be harvested from a device when the app has no permissions. The researcher found that his application was able to access the SD card, various system information and unique handset identification data. Access to the SD card provided Brodeur with information to all files that were not hidden, including photos, backups and any external configuration files. He states, however, that “while it’s possible to fetch the contents of all those files, I’ll leave it to someone else to decide what files should be grabbed and which are going to be boring.”
The second slew of information the application was able to access was located in the /data/system/packages.list file, which allowed the software to determine what apps are currently installed on a device. Brodeur was also able to scan each installed application’s directory to determine whether sensitive data could be read and accessed. This feature could be used by malware in an attempt to find apps with weak-permission vulnerabilities.
The last piece of information Brodeur’s application was able to gather regards a handset’s identifiable information. Without the “PHONE_STATE” permission, an application is not able to read the International Mobile Equipment Identity (IMEI) or International Mobile Subscriber Identity (IMSI). With no permissions, however, Brodeur’s app was still able to access the GSM and SIM vendor IDs. The researcher was also able to access the /proc/version pseudofile, which reveals the kernel version, Android ID and name of the custom ROM installed, if there is one.
Brodeur cautions Android users about suspicious applications, claiming any installed app can execute these actions without any user interaction or permissions. The researcher goes on to note that even without an Internet permission, he was able to use something called the URI ACTION_VIEW Intent to open a browser and export any collected data.
The researcher’s application was tested on Android 4.0.3 Ice Cream Sandwich and Android 2.3.5 Gingerbread.