The term "permissions" may be a relative one for Google's Android
operating system, which grants applications with no permissions access
to a wide range of user and device data, according to research from the
company Leviathan Security Group.
In a blog post Monday,
researcher Paul Brodeur was able to show that Android applications
without permissions can still access files used by other applications,
including which applications are installed and a list of any readable
files used by those applications. That capability could be used to
identify applications that have weak permissions vulnerabilities and
exploit those, Brodeur warned.
Brodeur unveiled a proof of concept
Android application, dubbed "NoPermissions" that works with Android
phones running version 4.0.3 and 2.3.5 of the operating system.
His work builds on research done by other mobile
security experts and academics and that has uncovered limitations to the
Android permissions scheme. For example, even without any permissions,
Brodeur's application was able to collection information about the
Android device including the GSM and SIM vendor ID, a file that includes
the kernel and ROM version installed, as well as the unique Android ID.
His no-permission application could also access non-hidden files stored
on the phone's SD card. That's as Google intended it to be, but Brodeur
points out that applications use local storage in ways that are
unpredictable - and mostly transparent to the phone's owners. Among the
data he found on his own Android phone were certificates from his mobile
Open VPN application.
Not only could an attacker take advantage
of the lack of strict permissions to collect data, Brodeur wrote, they
could also export it from the phone without permissions. The URI
ACTION-VIEW Intent network access call is supported without permissions.
That will open a browser on the Android device. An attacker could then
pass data to the browser in the form of a URI with GET parameters to
pass it to an Internet accessible server or device using successive
browser calls. In fact, Brodeur found that the app can launch a browser
in the background, when it does not have focus (that is: isn't the
active application).
This isn't the first warning about the
problem of loose application permissions on Android. Researchers from
North Carolina State University designed a similar application in 2010 to highlight flaws in the Android permissions scheme.
(PDF). And, in December, 2011, Thomas Cannon, a researcher at security
firm viaForensics demonstrated that an Android application without
permissions could still give an attacker access to a remote shell on an Android phone, allowing them to run commands on the device remotely.
Courtesy Paul