Android has long been criticized as insecure, thanks in large part to the mobile operating system’s open-source platform and history of lax app policing.
But now it appears that apps with no permissions are still able to access sensitive personal information. Leviathan Security Group researcher Paul Brodeur explained in a blog post earlier this week that he created a proof-of-concept to demonstrate that “no permissions” apps still have access to the device’s SD card, handset identification data, and files stored by other apps.
On the SD card, Brodeur’s app yielded a list of all non-hidden files, including photos, backups, and external configuration files. Brodeur said he found that OpenVPN certificates were stored on his own device’s SD card.
“While it’s possible to fetch the contents of all those files, I’ll leave it to someone else to decide what files should be grabbed and which are going to be boring,” he said.
He then fetched the /data/system/packages.list file to which apps were installed on the device and scanned the directories to determine whether sensitive information could be read from those directories. He said during testing that he was able to read some files belonging to other apps. “This feature could be used to find apps with weak-permission vulnerabilities, such as those that were reported in Skype last year,” he said.
Lastly, Brodeur’s app was able to gather the handset’s identification information. Without the “PHONE_STATE” permission, applications can’t read the device’s International Mobile Equipment Identity or International Mobile Subscriber Identity. However, the Global System for Mobile Communications information and SIM vendor IDs could still be read.
“Though this app uses buttons to activate the three different actions detailed above, it’s trivial for any installed app to execute these actions without any user interaction,” he wrote.
Brodeur said he tested the app on Android 4.0.3 Ice Cream Sandwich and Android 2.3.5 Gingerbread.