Continuing from my last post, I finished reading an article about the possibility for android apps to leak information without any permissions at all. Rather than in my last post, where android apps merely communicate to allow for information leaks, this one uses a single app that can use various methods requiring no permissions to acquire and leak information.
The research paper identifies several ways in which information can be acquired. The first way they get information is by exploiting the underlying Linux API that Android uses - they monitor process id's and the data statistics of each app. Specifically, they monitor the Twitter app's statistics. Their app first notices when twitter's data usage increases, and then it monitors Twitter closely. By doing so, it can find out the time a piece of data is sent from the user's phone to the twitter server. It does this repetitively, and then compares its record of timestamps to timestamps on the twitter website. By doing so, it is able to infer the identity of a given user. This of course, poses the question of how the app accesses the internet without permission.
The developers of this app did manage to find a way to access the internet without permission. What they basically do is send a piece of information to the browser, which can be sent without any permission, allowing them to sneak in web requests while the browser is open. This was a solution already existent to the "access internet without permission" problem - what these guys did was change it so that it would be sneakier - they send out their large amounts of data just before the screen closes. In this way, it is more unnoticeable to the user.
Another breach of security this group of developers discovered was that they could access a method "isMusicActive" - basically, this function tells whether or not the speaker is doing anything at the moment. By frequently pinging the information from this, they can reveal information from a GPS app. For example when a GPS app voices "Turn left at Bridge st.", by constantly pinging the audio function, they can determine the length of each word. Similarly, they can mark the timestamp of a new sentence - in this case, if it is 15 minutes between two of the directions given by the GPS app, their app will be able to discern this information. This method of gathering information is obviously very difficult, and it is unlikely that they would be able to discern a person's actual location; however, it can narrow it down to a set of specific driving routes. In any case, this information is leaked by the system, and although it cannot reveal much, it could still make it easier to do more malicious things, when paired with other, seemingly less threatening permissions.
Some of these security attacks seem trivial - yes, they compromise the security of some of your information, but it is often very difficult to do anything with that information. What I find is the scary part of this paper is that there is a way to access the internet from an application with no permissions at all - while difficult, it is still possible and that is a significant security hole.
This group of developers limited themselves to an app with "zero-permission". However, an app that wants access to, say, your contacts, and nothing else, can easily use this internet access workaround to broadcast your contacts' information to outside companies. Similarly, with the Twitter attack, when paired with permission to access your phones details, an app would be able to accurately pair a twitter user with a phone number - information that is very useful for certain organizations to have in a database. And this could be done, in the background, by a cute little game with permission only to access things on your phone.
No comments:
Post a Comment