Security scare of the week: What can an app with no permissions do?

The latest in the never-ending story of Android security is out, and this time it's talking about what an app can access if it declares no permissions. (To put it another way, what all an application can see if it doesn't request any of the normal functionality apps request.) Some folks make it out to be nothing to worry about, others use it in their quest to damnify the world's most popular mobile phone OS, but we figure the best thing to do with it is explain what's happening. 

A group of security researchers set out to create an app that declares no permissions to find out exactly what sort of information they could get out of from the Android system it was running on. This sort of thing is done every day, and the more popular the target is, the more people are looking at it. We actually want them to do this sort of thing, and from time to time folks find things that are critical and need fixed. Everybody benefits.

This time around, they found that an app with no (as in none, nada, zilch) permissions could do three very interesting things. None are serious, but all are worth looking at a bit. We'll start with the SD card.

Any app can read data on your SD card. It's always been this way, and it will always be this way. (Writing to the SD card is what needs a permission.) Utilities are available to create secure, hidden folders and protect them from other apps, but by default any data written to the SD card is there for any app to see. This is by design, as we want to allow our computer to access all the data on shareable partitions (like SD cards) when we plug them in. Newer versions of Android use a different partitioning method and a different way to share data that moves away from this, but then we all get to bitch about using MTP. (Unless you're Phil, but he's a little nuts at likes MTP.) This is an easy fix -- don't put sensitive data on your SD card. Don't use apps that put sensitive data on your SD card. Then quit worrying about programs being able to see data they are supposed to be able to see.

The next thing they found is really interesting if you're a geek -- an can read the /data/system/packages.list file with no explicit permission. This poses no threat on its own, but knowing what applications a user has installed is a great way to know what exploits may be useful to compromise their phone or tablet. Think of vulnerabilities in other apps -- the example the researchers used was Skype. Knowing that an exploit exists it's there means an attacker could try to target it. It's worth mentioning that targeting a known insecure app would probably require some permissions to do so, though. (And it's also worth reminding folks that Skype quickly acknowledged and fixed its permissions issue.)

Finally, they discovered that the /proc directory gives a bit of data when queried. Their example shows that they can read things like the Android ID, kernel version, and ROM version. There's a lot more that can be found in the /proc directory, but we need to remember that /proc isn't a real file system. Look at yours with root explorer -- it's full of 0-byte files that are created at runtime, and is designed for apps and software to communicate with the running kernel. There is no real sensitive data stored there, and it's all erased and rewritten when the phone is power cycled. If you are worried that someone might be able to find your kernel version or 16 digit Android ID, you still have the hurdle of getting that information sent anywhere without explicit Internet permissions. 

We're glad that people are digging in deep to find these sort of issues, and while these aren't critical by any serious definition, it's good to make Google aware of them. Researchers doing this sort of work can only make things safer and better for all of us. And we need to stress the point that the fellows at Leviathan aren't talking doom and gloom, they are just presenting facts in a useful way -- the doom and gloom is coming from outside sources.

Source: Leviathan Security Group

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Call me ignorant, but you need permissions to have internet access, right? So what can the app do if it access all the above?
  • "If you are worried that someone might be able to find your kernel version or 16 digit Android ID, you still have the hurdle of getting that information sent anywhere without explicit Internet permissions" Someone didn't read the article...
  • My thoughts exactly. So, the app can read all this juicy (not really) data, but can't actually communicate anything to the outside world. -SR-
  • You can also read and set the clipboard too without saying, which I guess if people use it to copy and paste passwords could be an issue eg: this app that only has "run at start" permissions BTW its a great app as well :) and yes I do use it
  • Apps that don't have any permissions are apps that will only preform their basic written functions. Ok yes they can access the sdcard, but without write access or even internet acces what are they going to do? An app such as the calculator is a good example, yes it has a permission but its only to vibrate keys. It dosent save data to an sdcard, and it dosent need an internet connection, so its not going to do anything with any data it finds. It's a system only app that needs no external info that isnt typed in, or saved in its cache files. There really isn't any big risk, unless they find some vulnerability and attack it.
  • >"Newer versions of Android use a different partitioning method and a different way to share data that moves away from this, but then we all get to bitch about using MTP" Indeed. I am very good about bitching about that damn MTP crap. It is a total PITA on my Xoom. Thankfully, at least Sense 4 had the "sense" to add USB Mass Storage mode back into ICS...
  • Stock Android has it too. Try a Nexus S with ICS. Or Galaxy SII with ICS. Xoom/GNex/etc don't have Mass Storage because they cannot unmount the /sdcard from the Android system to make it available to the PC/Mac, because it's not a separate partition. It's a bonus and disadvantage at the same time, having one huge chunk of storage (no more "oh only 1.4GB available for apps, sorry you folks who want more!")... I myself like Mass Storage simply because it works better on a Mac, MTP doesn't work as well...
  • And on Linux, the semi-proprietary "MTP" doesn't hardly work at all.
  • so it works really well? i'm not trying to be a smartass, but doesnt hardly means the opposite of what you apparently think it means...and i honestly want to know
  • On Linux, you can mount the filesystem of your phone so it behaves like any other mount (using sshfs). That's a convenient way to access your phone if you ask me. Takes a little bit of setup but doesn't everything in Linux?
  • OK.. I'm a total noob to Android and will soon make the jump from Apple to Android. However reading this post has me concerned BIG TIME. How does a noob know which apps may allow someone to pry into their phone and create problems? With almost half a million apps available it's daunting to say the least!
  • There's hyperlinks in the article, namely one about permissions. When you install an app, it lists which permissions the app needs to run, and you can then accept the permissions or refuse to install the app. Ok that still doesn't help completely, you have to make sure you can trust the maker of the app and the app itself. ie if you install "random triple-x wallpaper with big *******" application, and it requests "read contact data" "internet access", then you might be worried because a wallpaper has no business reading your contacts and having internet access... Then again maybe you want to install Twitter, which also asks for "read/write contact data" and "internet access" (among many other permissions), but this makes sense because Twitter needs to access the internet to work at all, and it reads contacts for the "find your friends on twitter" feature. It can also write to contacts because it can synchronize your phonebook with twitter accounts and can see their latest tweet straight from your Contacts/People. So reading permissions + thinking a little bit about why they are needed goes a long way. It might seem like some effort, but the fact is you at least can KNOW what will happen instead of having to blindly trust that the apps you install should be safe. Makes sense?
  • It did make sense to me.
  • Additionally to reading well the permissions of each app before installing, you can use an app like "Permissions free" to disable any permissions you don't trust from an app. If you get the pro version, you can even disable permissions on all apps that have them, instead of disabling them one by one.
  • Well, you shouldn't be TOO concerned. Because if you are coming off the iphone, you are used to a platform on which the user had almost ZERO control for setting application permissions.
  • don't be afraid to survey the user reviews a little bit, especially if the app has a bunch of 1 & 2 star reviews!
  • Agreed, the reviews are a good place to start... But I have to complain a little here...there's an infuriating trend in app comments, where the commenters rate an app one star and complain about its permissions without thinking for a minute why it might need it. It's horrible on Amazon's appstore, to the point the reviews are useless. But it's making its way to the Play Store, too. I remember reading about one app, can't recall what the app did, but one of the features it listed about was being able to send stuff via SMS. So naturally, it would need access to your contact list to do that. There were tons of comments on the order of "Rating one star until developer removes access to Contacts!!!!!". Pointless stuff like that. Ok, off my soapbox now! :)
  • I agree without other permissions it can't do much. BUT, an app with permission to ONLY access the internet could gobble up this data and send it somewhere. So this is concerning. Not earth shattering, but concerning nonetheless.
  • I don't know why reading the /proc folder is an issue. In standard Linux all users and applications have read access to the /proc folder. Some applications won't even run without the /proc folder being readable because it's a virtual file system on Linux that reports the characteristics of the system back to the software. It's been in Linux for years and continues to be an integral part of Linux.
  • Since most of the hardware in Linux is mapped to /proc and /sys, if an app can access that stuff, it is conceivably possible that it could snarf things about the phone that you wouldn't necessarily want to share. Not sure exactly what, but Jerry did give a few examples.
  • I have one and only one app on my phone that did not require ANYTHING. It's an ADOBE product (app) and I don't know if it mattered up until I read "this app requires no permissions". I have apps that are top developer trusted (lil blue icon) and/or 4+ star apps. I don't know for sure if that matters but I like to read fine print. And finer print too if needed. And if I have my readers near/with me. ;-)
  • Even if an app can collect some info (even sensitive), what the app will do with it? How can it send the info outside without any 'communication' permissions? I do not mean to be rude but the article seems pointless to me. And it did not scare me this week :-)
  • Hmm, sounds like computers doing computer stuff to me. Guess I'll go put my pitchfork back in the garage...
  • The only issue I have with permissions is apps like Go Launcher putting ads in my notification bar & no where in the app description does it says it is ad supported.
  • Go Launcher is not ad supported. It does not put ads in your notification bar or anywhere else.