No Permission Apps Can Still Steal Sensitive Information of The Android Users Reuters

Users should be warned to check for app permissions before downloading for a smartphone/tablet running the Android OS. This check allows the user to access information as to what aspects of his/her device (and information) could be accessed by the developer. This should then help the user decided whether or not to download the app.

The warning comes after a security firm - Leviathan Security - discovered that an Android app without permissions being granted, could still view personal user information. This means Android apps could pose threats when dealing with sensitive information. A proof-of-concept was created by Paul Brodeur, a researcher at Leviathan.

According to the company, there are three types of information that could be accessed.

Firstly, the app can access the user's SD card. The app will scan the directory and return folders containing photos, back-ups and external configuration files. Moreover, Brodeur found OpenVPN certificates were stored on his device's SD card.

The researcher could then fetch a list of pre-installed apps and was able to scan each directory used to determine whether personal data could be read from those directories.

"I am able to read the app's own directory, but when testing on a real device, I can read some files which belonged to other apps," said Brodeur, adding, "This feature could be used to find apps with weak-permission vulnerabilities, such as those that were reported in Skype in 2011."

Finally, it was possible to grab identifiable information about the device. However, without the PHONE_STATE permission it is not possible to read the International Mobile Equipment Identity (IMEI) or International Mobile Subscriber Identity (IMSI). However the Global System for Mobile Communications (GSM) and Subscriber Identity Module (SIM) vendor IDs could be still read.

In addition, the /proc,version/pseudofile and Android ID were still read. Even without the internet permission, the attackers can send the data off the device bu using URI ACTION_VIEW which opens the browser.

"In my tests, I found that the app is capable to launch the browser even after it has lost focus, allowing for transfer of large amount of information by creating successive browser call," said Paul Brodeur.