Some Android apps can still see your data even with 'no permission'

Users of Android phones, beware of so-called "no permission" apps: some of them can access —and even share— sensitive data.

 

An article by CNN's Amy Gahran said that while many apps raise suspicions when they ask "unnecessary" permissions, some apps that don't may be risky too.

 

Gahran cited a test conducted by the Leviathan Security Group showing even "no-permissions" Android apps can access potentially sensitive data on a phone - and worse, transmit that data elsewhere via the phone's built-in Web browser.

 

She added the built-in browser could be a potential route through which no-permissions apps can transmit data from the phone.

 

Leviathan's Paul Brodeur created a test app that requested no permissions but used it to scan the phone's memory (SD) card and display the non-hidden files on it.

 

"While it's possible to fetch the contents of all those files, I'll leave it to someone else to decide what files should be grabbed and which are going to be boring," he said.

 

He also could see which apps were installed on the phone, and list some files belonging to those apps - a situation that can potentially allow cybercriminals to exploit permission-related vulnerabilities in certain apps.

 

In phones that operate on GSM cell networks, Leviathan's test app could read identifying information about the phone from the SIM card.

 

Concern for developers

 

But Gahran said this may be more of a concern for Android app developers and Google, rather than consumers who use Android phones and tablets.

 

"What this research found is really little cracks in Android -- not great big security holes you could drive a truck through," said Kevin Mahaffey, co-founder and chief technical officer of Lookout Mobile Security, a provider of security apps and services for Android devices.

 

"That's why this kind of research is so valuable -- it ultimately helps make Android more secure," he added.

 

Mahaffey said the bigger problem is not that people might maliciously exploit these security cracks to steal from users or compromise their phones, but rather that many app developers are "sloppy."

 

He said developers sometimes build apps that store user data such as usernames and passwords in ways that could be easily accessed through the security cracks Leviathan found.

 

In other cases, the app might open the phone's Web browser that can potentially transmit data.

 

Gahran cited an article on TheVerge.com that the preinstalled photo gallery on Android phones by manufacturers like Samsung and LG may store unencrypted copies of complete addresses associated with photos.

 

She said the article noted a completely unencrypted file "a list of locations which matched those of our home, work, family, significant other, friends, and even holiday destinations," possibly generated by Google's Picasa photo management software.

 

"There is no reason for the application to be caching locations of private photos completely unencrypted," wrote Aaron Souppouris for The Verge. "This was information that we'd never given Google, either on a phone or within Picasa. To make matters worse, Picasa Web-Album syncing had been switched off a week before the information was found."

 

Best practices

 

While there is not much an average consumer can do in spotting whether apps are storing unnecessary data insecurely, the best practice is still to notice which permissions apps require before installing them.

 

Users are cautioned against installing apps that seem to require too many permissions, and urged to report to the developer any suspicious activity by an app.

 

Mahaffey advised that if the developer is not responsive or seems evasive or shady when one reports suspicious app behavior, the next step may be to alert Google's Android security team by sending an e-mail to security@android.com.

 

"That channel is mainly used by developers, but it's worth letting them know if you have concerns about an app and you aren't getting useful responses from the developer," he said. — TJD, GMA News