The term “permissions” may be a relative one for Google’s Android operating system, which grants applications with no permissions access to a wide range of user and device data, according to research from the company Leviathan Security Group.
In a blog post Monday, researcher Paul Brodeur was able to show that Android applications without permissions can still access files used by other applications, including which applications are installed and a list of any readable files used by those applications. That capability could be used to identify applications that have weak permissions vulnerabilities and exploit those, Brodeur warned.
Brodeur unveiled a proof of concept Android application, dubbed “NoPermissions” that works with Android phones running version 4.0.3 and 2.3.5 of the operating system.
His work builds on research done by other mobile security experts and academics and that has uncovered limitations to the Android permissions scheme. For example, even without any permissions, Brodeur’s application was able to collection information about the Android device including the GSM and SIM vendor ID, a file that includes the kernel and ROM version installed, as well as the unique Android ID. His no-permission application could also access non-hidden files stored on the phone’s SD card. That’s as Google intended it to be, but Brodeur points out that applications use local storage in ways that are unpredictable – and mostly transparent to the phone’s owners. Among the data he found on his own Android phone were certificates from his mobile Open VPN application.
Not only could an attacker take advantage of the lack of strict permissions to collect data, Brodeur wrote, they could also export it from the phone without permissions. The URI ACTION-VIEW Intent network access call is supported without permissions. That will open a browser on the Android device. An attacker could then pass data to the browser in the form of a URI with GET parameters to pass it to an Internet accessible server or device using successive browser calls. In fact, Brodeur found that the app can launch a browser in the background, when it does not have focus (that is: isn’t the active application).
This isn’t the first warning about the problem of loose application permissions on Android. Researchers from North Carolina State University designed a similar application in 2010 to highlight flaws in the Android permissions scheme. (PDF). And, in December, 2011, Thomas Cannon, a researcher at security firm viaForensics demonstrated that an Android application without permissions could still give an attacker access to a remote shell on an Android phone, allowing them to run commands on the device remotely.