Pages

Subscribe:

Ads 468x60px

Sunday, 15 April 2012

How an Android app could transmit your personal data without any permissions




The CoolIris Android gallery, the stock gallery app used in many devices running Android 2.1 - 2.3, has been found to store unencrypted copies of complete addresses that could theoretically be accessed and transmitted by a malicious app with no system permissions. The issue came to light when we started investigating a security issue in Android found by Paul Brodeur from Leviathan Security Group. Brodeur created an app named No Permissions which highlights flaws in Android's permission system that would allow an app to access your data.
Android keeps apps in a "sandbox," and makes them ask for permission to access things like the internet, phone calls, location, or contacts. If you don't grant an app access to something, you can rest safe knowing that it will never access it. Brodeur uncovered a long list of things that, without permissions, a malicious app could access.
The first issue highlighted by the report is file security. No Permissions is able to scan your device's storage (either a physical SD card or an "internal SD Card" or eMMC) and return a list of any non-hidden files, the contents of which could then be scanned for potentially sensitive information. It was also possible to return a list of installed applications, which could aid a malicious app in knowing where to look for data. Although the app is only a proof-of-concept, the techniques mentioned in the report are capable of accessing this data.
So what sort of data would be available to a malicious app? Well, we took a nose around a few devices to see what was on offer. The most obvious issue would be   more>>




0 comments:

Post a Comment

ShareThis

Receive all updates via Facebook. Just Click the Like Button Below

Powered By | Blog Gadgets Via Blogger Widgets

Share

Widgets