The latest in the never-ending story of Android security is out, and this time it's talking about what an app can access if it declares no permissions. (To put it another way, what all an application can see if it doesn't request any of the normal functionality apps request.) Some folks make it out to be nothing to worry about, others use it in their quest to damnify the world's most popular mobile phone OS, but we figure the best thing to do with it is explain what's happening.
A group of security researchers set out to create an app that declares no permissions to find out exactly what sort of information they could get out of from the Android system it was running on. This sort of thing is done every day, and the more popular the target is, the more people are looking at it. We actually want them to do this sort of thing, and from time to time folks find things that are critical and need fixed. Everybody benefits.
This time around, they found that an app with no (as in none, nada, zilch) permissions could do three very interesting things. None are serious, but all are worth looking at a bit. We'll start with the SD card.
Any app can read data on your SD card. It's always been this way, and it will always be this way. (Writing to the SD card is what needs a permission.) Utilities are available to create secure, hidden folders and protect them from other apps, but by default any data written to the SD card is there for any app to see. This is by design, as we want to allow our computer to access all the data on shareable partitions (like SD cards) when we plug them in. Newer versions of Android use a different partitioning method and a different way to share data that moves away from this, but then we all get to bitch about using MTP. (Unless you're Phil, but he's a little nuts at likes MTP.) This is an easy fix -- don't put sensitive data on your SD card. Don't use apps that put sensitive data on your SD card. Then quit worrying about programs being able to see data they are supposed to be able to see.
The next thing they found is really interesting if you're a geek -- an can read the /data/system/packages.list file with no explicit permission. This poses no threat on its own, but knowing what applications a user has installed is a great way to know what exploits may be useful to compromise their phone or tablet. Think of vulnerabilities in other apps -- the example the researchers used was Skype. Knowing that an exploit exists it's there means an attacker could try to target it. It's worth mentioning that targeting a known insecure app would probably require some permissions to do so, though. (And it's also worth reminding folks that Skype quickly acknowledged and fixed its permissions issue.)
Finally, they discovered that the /proc directory gives a bit of data when queried. Their example shows that they can read things like the Android ID, kernel version, and ROM version. There's a lot more that can be found in the /proc directory, but we need to remember that /proc isn't a real file system. Look at yours with root explorer -- it's full of 0-byte files that are created at runtime, and is designed for apps and software to communicate with the running kernel. There is no real sensitive data stored there, and it's all erased and rewritten when the phone is power cycled. If you are worried that someone might be able to find your kernel version or 16 digit Android ID, you still have the hurdle of getting that information sent anywhere without explicit Internet permissions.
We're glad that people are digging in deep to find these sort of issues, and while these aren't critical by any serious definition, it's good to make Google aware of them. Researchers doing this sort of work can only make things safer and better for all of us. And we need to stress the point that the fellows at Leviathan aren't talking doom and gloom, they are just presenting facts in a useful way -- the doom and gloom is coming from outside sources.
Source: Leviathan Security Group
