Android 6.0 Marshmallow (and later) is hailed for giving its default user the capability to grant/deny granularly the permissions asked by apps, something that only rooted/custom roms users were able to do prior. However, contrary to the permissions feature, a study conducted by the University of Calgary, U.C. Berkeley, Universidad Carlos III de Madrid and IMDEA Networks Institute in coordination with the U.S. Federal Trade Commission described Android’s weakness with apps circumventing its permissions system. The study covered 88,113 apps available in the Google Play Store for U.S. Android users, with more than 1,300 top apps are deliberately bypassing the permissions defined by the users. With this process, data can be gathered by apps even if they were not given permission to do so.
Described by the six researchers of the above-mentioned institutions mentioned above, app developers have the capability to use side channel capability provided by Android, even with its latest version Pie 9.0. The researchers blame the availability of covert communication channels; this makes a particular app to share its permission-based data with another app that have no such permission.
The results were produced through the use of a specially designed test environment which gives researchers the capability to monitor the app behavior, including network activity. After which, they reverse-engineer the offending apps including their associated 3rd-party libraries to find what causes such bypass of the permissions system.
“A covert channel is a more deliberate and intentional effort between two cooperating entities so that one with access to some data provides it to the other entity without access to the data in violation of the security mechanism,” explained in the report.
The researchers deliberately deny certain permissions for the sample apps, and with their system able to see if the device still transmits the information through the same apps. All the apps examined are available from the Google Play Store, hence they are all official versions from their respective developers. Some of the apps came from known brands such as Samsung and Disney. A popular app, Shutterfy was one of the apps detected with this offending behavior.
Shutterfly captures geolocation, both current and historical, including the MAC address of the Android device, all without the express permission provided by the researchers themselves. “We observed that the Shutterfly app sends precise geolocation data to its own server without holding a location permission. The app actually processed the image file: it parsed the EXIF metadata—including location—into a JSON object with labeled latitude and longitude fields and transmitted it their servers,” added the report.
The following are more unique properties of the offending apps that researchers discovered:
- MAC addresses can be captured by the apps from the ARP Cache. MAC addresses can also be harvested using ioctl system call, 12,408 apps in the sample is abusing this flaw.
- MicroSD cards can be used as a covert channel, capturing the device’s IMEI. A total of 159 apps from the sample explicitly have this property.
Google on their part has acknowledged the flaws and the search giant will have an official fix as part of Android Q, scheduled to be released a few months from now. However, the biggest question is Android’s weakness when it comes to updates. Many device vendors prefer to sell new devices instead of updating their current devices to the latest Android version released by Google.