Rogue Android apps ignore your permissions
You know those Android dialogue boxes that pop up when you first run an app, asking you what permissions you want to give the software? They’re not as useful as we all thought.
The research comes from researchers at the University of Calgary, U.C Berkeley. the IMDEA Networks Institute, the International Computer Science Institute (ICSI) and AppCensus, which offers a searchable database detailing the privacy issues with individual apps. Called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, the paper spotted dozens of apps circumventing permissions-based protections in Android to get the data they want.
Android apps must ask for permission to access sensitive resources on the phone, like the GPS, the camera, or the user’s contacts data. When you say that an app can’t access your location data, the operating system can prevent it from doing so because it runs the app in its own sandbox. That also stops the app in question interacting with other apps.
The researchers analysed over 88,000 Android apps to see what data they transmitted from the phone, and where they sent it. They ran the test on a variety of Android systems, with the most recent being Android Pie (2018). They matched this against the permissions that the user had granted the app to see if apps were harvesting data that they shouldn’t be. They found dozens of apps transmitting data they shouldn’t have accessed, along with thousands more containing the code to do so. They reverse engineered the code and found two main methods for circumventing permissions protections.
The first is known as a side channel attack. In this context, they happen when sensitive information is available in more than one place on a mobile phone.
For example, apps are meant to request access to the phone’s GPS if they want location data. However, the researchers found apps accessing the MAC address of the Wi-Fi base stations that the phone connected to by reading a locally stored, unprotected cache. That gave the apps the location data that they needed.
The second, more insidious attack is known as a covert channel, and it’s a communication from one privileged app to another. One app might be allowed to read the phone’s International Mobile Equipment Identity (IMEI), for example, which is a unique identifier for the phone, and could give that data to another app that wasn’t.
The researchers found software libraries from Baidu and South Korean company Salmonads doing this. They used the SD card to store the phone’s IMEI, making it readable to apps that couldn’t access the data directly from the phone.