Google fixed a problem in Android 7 where previous OS versions allowed attackers to infer enough data about the device and its apps to determine the device’s real owner.
There was a problem with the file and folder permissions system used to limit access to sensitive data stored inside app folders on Android devices, said Belgian security researcher Arne Swinnen, who reported the issue to Google.
An attacker could use Android commands to change their app’s currently working directory to another app’s folder, Swinnen said.
The default Android app permissions model would allow them to access the directory and execute a file, but not list the folder’s contents to discover new files or read any of their content. In this scenario, the app would have to know the exact path of the accessed file.
This opens a few security holes. “However, what is remarkable is that existing files inside these directories can be listed and their meta-information gathered, when the filename is known,” Swinnen said in a blog post.
One such scenario is the YouTube Android app, which uses a standard youtube.xml file in the /data/data/com.google.android.youtube/shared_prefs/ folder to store data processed inside the app in real time.
An attacker could repeatedly list this file and get its size and last modified date in return (because they have no read permissions). Since the YouTube app updates this file every few seconds when the app is in use, a rogue app could monitor this file and determine when the app or the device is in use.
Other apps have similar files, stored in other sections of their internal structure, so the attack could port to any other application.
Furthermore, for apps that use predictable file names, such as Instagram or Facebook, the rogue app could launch brute-force attacks to guess those files.
The researcher created a brute-forcing script that runs in the Android OS background, meaning the user doesn’t have to keep the rogue app open all the time.
Once a match ends up identified for the correct user ID file in the correct app folder location, the attacker has the phone owner’s Instagram ID, which in some cases may lead back to the user’s real identity.
Swinnen reported the bug to Google last December, and the company fixed it with the release of Android 7. The researcher also received $500 for his work.