Mobile Application
Now Reading
Over 1000 Apps on Google Play Store Can Access Your Data Without Permission

Over 1000 Apps on Google Play Store Can Access Your Data Without Permission

by Aiman MaulanaJuly 11, 2019
What's your reaction?
Me Gusta
Sad Reacc

Over 1000 Apps on Google Play Store Can Access Your Data Without Permission

Over 1000 Apps on Google Play Store Can Access Your Data Without Permission 20

Android has come a long way from when it first launched. By today’s standards, it’s quite a secure OS, with the user themselves being the biggest threat. If we watch what we download / install and check the permissions we grant, we should normally be safe from unauthorized access. However, it appears that some developers have found an exploit to bypass the Android permission model.

A study was presented at PrivacyCon last month which showed how certain apps were able to bypass the Android permission model. However, there were no mentions of the apps that managed to do so. It was noted that there are two different circumvention techniques; side channels and covert channels.

Side channel techniques involve getting access to particular information in a way that isn’t covered by the security mechanism. For example, apps used to be able to track a device’s location using the MAC address until Android Pie introduced MAC address randomization. Covert channel techniques involve two services cooperating to send data from one service that has valid access to one that does not. For example, an app that has been granted location access may share that data with an app that hasn’t been granted access.

Over 1000 Apps on Google Play Store Can Access Your Data Without Permission

In an analysis of 88,113 of the most popular Android apps on the US Google Play Store, over 1,000 apps and 3rd party libraries were found to have employed side channels and / or covert channels to bypass security. This allows them to access your location data and identifiers of users’ devices.

The testing was initially done on the Google Nexus 5X on Android 6.0.1 Marshmallow, but was later retested on the Google Pixel 2 running Android 9.0 Pie. This was done validate their findings as of late.

For what it’s worth, Google says that the security and privacy changes that Google has introduced in Android Q will close these bypass methods, thus this paper provides valuable insight into Google’s justifications for some of the platform changes they’ve made in Android 10. To detect circumvention of the Android security measure, the research team developed a method of using both dynamic and static analysis. This was done by auditing the app’s runtime behaviour and scanning the code for malicious behaviour.

Over 1000 Apps on Google Play Store Can Access Your Data Without Permission 21

The result of the analysis is that the team discovered what data was being scraped by the apps that circumvented the permissions model:

  • IMEI: Since an IMEI is a unique, persistent identifier, it’s useful for online services to scrape so they can track individual devices. The team discovered that the Salmonads and Baidu SDKs were using a covert channel to read the IMEI. Apps with legitimate access to the IMEI were storing hidden files on the external storage containing the device’s IMEI so that other apps without legitimate access could read the IMEI. Identified apps using Baidu’s SDK in this manner include Disney’s theme park apps for Hong Kong and Shanghai, Samsung Health, and Samsung Browser.
  • Network MAC Address: The network MAC address is also a unique identifier, and ordinarily it’s protected by the ACCESS_NETWORK_STATE permission. According to the researchers, apps were using C++ native code to “invoke a number of unguarded UNIX system calls.” The team identified 42 apps using the Unity SDK to open a network socket and an ioctl to obtain the MAC address, though they noted that 748 out of the 12,408 apps contained the code in question while lacking the ACCESS_NETWORK_STATE permission.
  • Router MAC Address: The ACCESS_WIFI_STATE permission protects the BSSID, but reading the ARP cache in /proc/net/arp allows an app to obtain that data without needing any permissions. The researcher identified the OpenX SDK as using this side channel technique.
  • Geolocation: The researchers discovered that the Shutterfly app was accessing the location tags of photos’ EXIF metadata. All that’s required is the READ_EXTERNAL_STORAGE permission.

In Android Q, Google requires apps with the READ_PRIVILEGED_PHONE_STATE permission to read the IMEI. Devices running Android Q now transmit randomized MAC addresses by default. Finally, Android Q’s Scoped Storage changes diminish the ability for apps to read the location data from photos. In other words, Google has addressed these issues and these loopholes will no longer be an issue in Android Q.

If you’d like more details, be sure to the read the complete research paper submitted to the FTC by clicking right here.

Source: XDA-Developers

Pokdepinion: There are a ton of weird stuff from Google Play Store and I’m not too daring to try. This is one of the reasons why.

About The Author
Aiman Maulana
Jack of all trades, master of none, but oftentimes better than a master of one. YouTuber, video editor, tech head, and a wizard of gaming. What's up? :)

Let's Discuss It Further