Google’s Android operating system grants applications with no permissions access to a wide range of user and device data, according to new research.
Android applications without permissions can still access files used by other applications, including which applications are installed and a list of any readable files used by those applications, said researcher Paul Brodeur of Leviathan Security Group. That capability could identify applications that have weak permissions vulnerabilities and exploit those, he said.
Brodeur unveiled a proof of concept Android application, dubbed “NoPermissions” that works with Android phones running version 4.0.3 and 2.3.5 of the operating system.
His work builds on research done by other mobile security experts and academics and has uncovered limitations to the Android permissions scheme. Even without permissions, Brodeur’s application was able to collect information about the Android device including the GSM and SIM vendor ID, a file that includes the kernel and ROM version installed, as well as the unique Android ID.
His no-permission application could also access non-hidden files stored on the phone’s SD card. That’s as Google intended it to be, but Brodeur points out that applications use local storage in ways that are unpredictable — and mostly transparent to the phone’s owners. Among the data he found on his own Android phone were certificates from his mobile Open VPN application.
Not only could an attacker take advantage of the lack of strict permissions to collect data, Brodeur said, they could also export it from the phone without permissions. The URI ACTION-VIEW Intent network access call has support without permissions. That will open a browser on the Android device. An attacker could then pass data to the browser in the form of a URI with GET parameters to pass it to an Internet accessible server or device using successive browser calls. In fact, Brodeur found the app can launch a browser in the background, when it does not have focus.
This isn’t the first warning about the problem of loose application permissions on Android. Researchers from North Carolina State University designed a similar application in 2010 to highlight flaws in the Android permissions scheme. Also, in December, 2011, Thomas Cannon, a researcher at security firm viaForensics demonstrated an Android application without permissions could still give an attacker access to a remote shell, which would allow them to run commands on the device remotely.