For Android apps, “zero permissions” does not actually mean zero permissions


Android’s security issues and vulnerabilities have been the subject of heated debates in the technology world for a while now, with many developers and researchers claiming that the former Android Market, now known as Google Play, is the source of numerous malicious apps.

And while I don’t intend to thorougly analyze and discuss all of the issues surrounding Android security weaknesses (we have done something like that a while back here on the website), I would like to bring to your attention a report from Paul Brodeur of Leviathan Security.
Brodeur created a so-called “zero-permission” Android app in order to explore what data is available for “harvesting” from an Android device by applications that don’t have any permissions at all. The results of the research are unfortunately not very encouraging, as they once again prove the ecosystem’s deep reaching weaknesses.
The app gained access to the SD card, as well as to various system information and unique handset identification data, even though it wasn’t supposed to have any kind of permission on Android grounds.
What is even more worrying is that Brodeur’s tests were conducted both on an older version of Android, (2.3.5 Gingerbread), which we pretty much knew it had security issues, but also on Ice Cream Sandwich version 4.0.3, which, I for one, thought it was safer.
What kind of data can be accessed without permission?
The first privileged access area for Brodeur’s application was the SD card, where each and every file that was not hidden could be opened by the app. This is not exactly an Android vulnerability, as the OS developer docs clearly state that there’s no security enforced upon files stored on external storage, but is still something that could trouble users. I mean, I, for one, have had an SD card installed on all of my latest phones and I currently have a lot of data on the card, including photos, backups, and all sorts of other sensitive data.
The second vulnerable area, according to the report, is even more troublesome, as it seems that the “zero-permission” app could easily determine exactly what apps were installed on the device at the times of the tests. The information was gathered by accessing the /data/system/packages.list file, and it could be used by malware for finding apps with weak-permission vulnerabilities.
Finally, it seems that any app can access key information about the device itself, including the GSM and SIM vendor IDs. The /proc/version pseudofile also revealed the kernel version and can show the name of a custom ROM installed, if there is any. Not only that, but the developer notes that the illicitly collected data can be sent anywhere, even if the app doesn’t have Internet permissions, with the help of something called the URI ACTION_VIEW Intent.
Needless to say, these pieces of information should not be accessible without the users’ permission and could cause harm if they get on the wrong hands. That being said, Brodeur ends his report by stressing out what every Android user should, by now, regard as the first rule of using a Google-powered handheld. Don’t install suspicious apps, as they can access sensitive data without your permission and can potentially use it to cause you and your device serious harm!