Skip to main content

Privacy Concerns in Android

Introduction
     Android has a robust Access control system. If an Android app needs to use resources or information outside of its own scope, the app has to request the appropriate permission. It needs to get permissions before accessing critical resources like Camera, Location, Contacts etc. On Android 6.0 (Marshmallow) or higher, the app needs to request these permissions at runtime by showing a dialog box to the user. Also, the user will have an option to revoke these permissions for that app at any time in future. 
 
 

But, in this article, I would like to point out a few resources that an app can access without any permissions and this might raise a serious privacy concern for the user.

 Privacy Concerns
  • An app can fetch a list of all other apps installed on your phone.
An app doesn't need to request any permissions from you to get a list of all the apps installed on your phone. For example, a Netflix app can get to know whether it's competitors like Amazon Prime Video, Hulu etc. are installed on your phone. Netflix can also have an access to metadata like when the other apps were installed, what permissions are they seeking etc. Android developers can go here for more.
  • An app can get to know which other apps are currently running in the background 
An app can know which other apps are having their services running in the background. It can also figure out which among those apps are currently using the internet, how much data are they consuming etc. without having any permissions from you. Android developers can go here for more.

Edit: The method getRunningServices() which was used to get the currently running processes will not work from Android O. This is a good improvement for user's privacy.
  • An app can get to know when your phone's display goes ON/OFF.
Yes, the app doesn't need to get any permissions from you to know when your phone's display is On and when it's Off. If the app is running in the background all the time, it can approximately figure out how much time you have spent on your phone because it gets a broadcast from the operating system every time the display goes ON or OFF. Android devs can go here for more.
  • An app can get to know how much mobile/WiFi data has been used since the device has booted up.
The app can access the data each app installed on the phone has used, and the total data the device has used since it's boot up, without any permissions. Android devs can go here for more.

Edit: I noticed that, from Android 7.0 (Nougat) onwards, the data used by each app is now protected and requires permissions. But you can still access the total data the device has used without any permissions.

 Conclusion

By exploiting the aforementioned issues, anyone can build a simple spyware which collects data about when the user (the victim) was using his/her phone (by capturing the phone's screen state, i.e. ON/OFF states), approximately which app was he/she using (by correlating which apps were running in the background when the screen was ON and which among them were using the internet at that time). All this spyware needs is an 'Internet' permission to send this collected data to a remote server. And Android doesn't ask it's users for a  runtime permission (a dialog box to grant/deny permission) for internet access from an app. 'Internet' permissions are granted automatically when the user installs the app. So, the spyware will run successfully without ever grabbing the user's attention.

I have come across these issues on Android 7.0 (Nougat). Some of these issues may or may not have been addressed in the later versions. Or, the Android team at Google might not even consider this as a big deal. Nonetheless, the amount of metadata that an app can extract without letting the user know or getting his/her consent is quite alarming.



Comments

Post a Comment

Popular posts from this blog

My-Cloud-IDE - a SaaS built using Docker

I always wanted to know about how services like Codenvy  and Heroku  internally worked. The only way to understand that was to build a similar project. The main component of this project is Docker. Docker  Docker is a software that performs OS-level virtualisation and is developed for Linux. More information about it can be found here . About My-Cloud-IDE: My-Cloud-IDE is a proof-of-concept for a Software as a Service (SaaS). It   can be used to perform software development on cloud without worrying about resolving software dependencies, software installations etc. The user gets a fully functional IDE in his/her browser after registration. Each user has his/her own isolated software environment because My-Cloud-IDE uses Docker to perform OS-level virtualisation in the backend. Technical Details I divided the project into two modules. One module was for 'management' purpose. This includes user interfaces, user management and preparing some files that a...
Post a Comment
Read more

How did I setup a Rasberry Pi 3 without any peripherals

I am an absolute beginner in this Raspberry Pi (I'll be using "RPi" for short) world and this post shows how I started up the RPi without using external keyboard or mouse (for RPi) and still managed to get a graphical desktop environment of Raspbian on my Debian workstation (and controlled my RPi remotely). Step 1: I downloaded 'Raspbian Stretch with Desktop' ( here ). I got a ZIP file. I unzipped it and ended up with a .img which was roughly 4.6 GB. Step 2: Now, to create a bootable media (a memory card perhaps) by copying the .img file onto it, I used dd command. sudo dd if=<path to img> of=/dev/<sdb,sdc..> Be particularly careful with using dd command. You can mess up a lot of things. Using dd command on your memory card will wipe out all contents in it. Using dd command on your hard disk, umm.. not a good idea. To know the disk path of your memory card, use sudo fdisk -l  (el in small caps) . Your hard disk will probably be /dev/sda. You...
Post a Comment
Read more