Want CNET to notify you of price drops and the latest stories?

Android gives 'no permissions' apps access to sensitive info

Security researcher publishes proof-of-concept app to demonstrate security issue in Google's mobile operating system.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Thanks in large part to Android's history of lax app policing, Google's mobile operating system has been criticized as insecure.

But now it appears that apps with no permissions pose a new threat, gaining access to sensitive personal information without authorization. Leviathan Security Group researcher Paul Brodeur explained in a blog post earlier this week that he created a proof-of-concept to demonstrate that "no permissions" apps still have access to the device's SD card, handset identification data, and files stored by other apps.

On the SD card, Brodeur's app yielded a list of all non-hidden files, including photos, backups, and external configuration files. Brodeur said he found that OpenVPN certificates were stored on his own device's SD card.

"While it's possible to fetch the contents of all those files, I'll leave it to someone else to decide what files should be grabbed and which are going to be boring," he said.

He then fetched the /data/system/packages.list file to which apps were installed on the device and scanned the directories to determine whether sensitive information could be read from those directories. He said during testing that he was able to read some files belonging to other apps. "This feature could be used to find apps with weak-permission vulnerabilities, such as those that were reported in Skype last year," he said.

Lastly, Brodeur's app was able to gather the handset's identification information. Without the "PHONE_STATE" permission, applications can't read the device's International Mobile Equipment Identity or International Mobile Subscriber Identity. However, the Global System for Mobile Communications information and SIM vendor IDs could still be read.

"Though this app uses buttons to activate the three different actions detailed above, it's trivial for any installed app to execute these actions without any user interaction," he wrote.

Brodeur said he tested the app on Android 4.0.3 Ice Cream Sandwich and Android 2.3.5 Gingerbread.