Android apps don't need permission to see your data

Unauthorised apps can access certain types of data without any permissions at all.

Android critics often point to the operating system's lack of control over apps as a threat to user security, and this is yet again proving to be true.

Security firm Leviathan Security has discovered that apps with no permissions to access system resources are still able to view sensitive data without the user's knowledge. Worse yet, through a few extra steps, a malicious app might be able to get that data off of the device using the Web browser.

According to Leviathan Security, at least three types of information can be accessed by any app, regardless of its permissions. These types of info include files on external storage, files stored by individual apps, and device information.

Android allows any app to read all files on external storage by default. This might sound harmless, but Leviathan researcher Paul Brodeur has discovered that some apps store sensitive data--such as network access information--to the device's SD card.

Apps can also fetch a list of installed applications on the device, and, from there, scan for files associated with those apps. iOS developers have recently come under fire for failing to secure data--Facebook, Dropbox and others have been found to be storing authentication information in plain text--and there are likely many Android apps with equally poor security.

Finally, Brodeur discovered that all apps could access basic device information. While an app is not able to read a device's unique identification number without the correct permissions, other identifiable information is easily accessible.

Getting the data off the device is not straightforward, as network access is restricted unless the application has the correct permissions. Still, there is a way for attackers to surreptitiously steal your data.

"In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls," Brodeur writes. In plain English, this means successive requests to open the browser and send strings of data can be done entirely in the background, so the victim never knows it's even happening.

For more tech news and commentary, follow Ed on Twitter at @edoswald, on Facebook, or on Google+.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ed Oswald

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?