Android apps don't need permission to see your data

Unauthorised apps can access certain types of data without any permissions at all.

Android critics often point to the operating system's lack of control over apps as a threat to user security, and this is yet again proving to be true.

Security firm Leviathan Security has discovered that apps with no permissions to access system resources are still able to view sensitive data without the user's knowledge. Worse yet, through a few extra steps, a malicious app might be able to get that data off of the device using the Web browser.

According to Leviathan Security, at least three types of information can be accessed by any app, regardless of its permissions. These types of info include files on external storage, files stored by individual apps, and device information.

Android allows any app to read all files on external storage by default. This might sound harmless, but Leviathan researcher Paul Brodeur has discovered that some apps store sensitive data--such as network access information--to the device's SD card.

Apps can also fetch a list of installed applications on the device, and, from there, scan for files associated with those apps. iOS developers have recently come under fire for failing to secure data--Facebook, Dropbox and others have been found to be storing authentication information in plain text--and there are likely many Android apps with equally poor security.

Finally, Brodeur discovered that all apps could access basic device information. While an app is not able to read a device's unique identification number without the correct permissions, other identifiable information is easily accessible.

Getting the data off the device is not straightforward, as network access is restricted unless the application has the correct permissions. Still, there is a way for attackers to surreptitiously steal your data.

"In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls," Brodeur writes. In plain English, this means successive requests to open the browser and send strings of data can be done entirely in the background, so the victim never knows it's even happening.

For more tech news and commentary, follow Ed on Twitter at @edoswald, on Facebook, or on Google+.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ed Oswald

PC World (US online)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?