Its been reported that 1,300 Android apps were found circumventing the Android permission system to gain access to information they otherwise were not allowed access to, and in many cases then sending this information to third party servers.
The research was published on the FTC website and shows a number of discovered methods that apps were bypassing the permission system implemented in Android.
We studied more than 88,000 apps across each category from the U.S. Google Play Store. We found a number of side and covert channels in active use, responsibly disclosed our fndings to Google and the U.S. Federal Trade Commission (FTC), and received a bug bounty for our efforts.
In summary, the contributions of this work include:
- We designed a pipeline for automatically discovering vulnerabilities in the Android permissions system through a combination of dynamic and static analysis, in effect creating a scalable honeypot environment.
- We tested our pipeline on more than 88,000 apps and discovered a number of vulnerabilities, which we responsibly disclosed. These apps were downloaded from the U.S. Google Play Store and include popular apps from all categories. We further describe the vulnerabilities in detail, and measure the degree to which they are in active use, and thus pose a threat to users. We discovered covert and side channels used in the wild that compromise both users’ location data and persistent identifers.
- We discovered companies getting the MAC addresses of the connected WiFi base stations from the ARP cache. This can be used as a surrogate for location data. We found 5 apps exploiting this vulnerability and 5 with the pertinent code to do so.
- We discovered Unity obtaining the device MAC address using ioctl system calls. The MAC address can be used to uniquely identify the device. We found 42 apps exploiting this vulnerability and 12,408 apps with the pertinent code to do so. We also discovered that third-party libraries provided by two Chinese companies—Baidu and Salmonads— independently make use of the SD card as a covert channel, so that when an app can read the phone’s IMEI, it stores it for other apps that cannot. We found 159 apps with the potential to exploit this covert channel and empirically found 13 apps doing so.
- We found one app that used picture metadata as a side channel to access precise location information despite
not holding location permissions.
These deceptive practices allow developers to access users’ private data without consent, undermining user privacy and giving rise to both legal and ethical concerns. Data protection legislation around the world—including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) and consumer protection laws, such as the Federal Trade Commission Act—enforce transparency on the data collection, processing, and sharing practices of mobile applications.
While i’m not sure where the news articles for 1,300 from, the research does show a large number of apps actively circumventing Android permissions, as well as a fairly significant number of apps capable of doing so if the code is turned on essentially.
The main interesting one for me is the Chinese SDK used in a large number of apps which use covert channels to gain information an app is explicitly not allowed to see. The SDK does this by allowing apps which do have permissions to give information to apps which don’t have permissions. While the research shows that this seems to primarily be targeting the IMEI information it wouldn’t necessarily be limited to that if additional functionality was added.
The other interesting one was the one case of a photos app actively pulling off location information from pictures EXIF data and sending that data to third party servers.
Shutterfy and EXIF Metadata We observed that the Shutterfy app (com.shutterfy) sends precise geolocation data to its own server (apcmobile.thislife.com) without holding a location permission. Instead, it sent photo metadata from the photo library, which included the phone’s precise location in its exchangeable image fle format (EXIF) data. The app actually processed the image fle: it parsed the EXIF metadata—including location—into a JSON object with labelled latitude and longitude felds and transmitted it to their server.
While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user’s location. Whenever a new picture is taken by the user with geolocation enabled, any app with read access to the photo library (i.e., READ_EXTERNAL_STORAGE) can learn the user’s precise location when said picture was taken. Furthermore, it also allows obtaining historical geolocation fxes with timestamps from the user, which could later be used to infer sensitive information about that user.