Return to Level1Techs.com

Android Apps found Circumventing Android Permission System via Baidu SDK and other Methods

android
#1

Its been reported that 1,300 Android apps were found circumventing the Android permission system to gain access to information they otherwise were not allowed access to, and in many cases then sending this information to third party servers.

The research was published on the FTC website and shows a number of discovered methods that apps were bypassing the permission system implemented in Android.

We studied more than 88,000 apps across each category from the U.S. Google Play Store. We found a number of side and covert channels in active use, responsibly disclosed our fndings to Google and the U.S. Federal Trade Commission (FTC), and received a bug bounty for our efforts.
In summary, the contributions of this work include:

  • We designed a pipeline for automatically discovering vulnerabilities in the Android permissions system through a combination of dynamic and static analysis, in effect creating a scalable honeypot environment.
  • We tested our pipeline on more than 88,000 apps and discovered a number of vulnerabilities, which we responsibly disclosed. These apps were downloaded from the U.S. Google Play Store and include popular apps from all categories. We further describe the vulnerabilities in detail, and measure the degree to which they are in active use, and thus pose a threat to users. We discovered covert and side channels used in the wild that compromise both users’ location data and persistent identifers.
  • We discovered companies getting the MAC addresses of the connected WiFi base stations from the ARP cache. This can be used as a surrogate for location data. We found 5 apps exploiting this vulnerability and 5 with the pertinent code to do so.
  • We discovered Unity obtaining the device MAC address using ioctl system calls. The MAC address can be used to uniquely identify the device. We found 42 apps exploiting this vulnerability and 12,408 apps with the pertinent code to do so. We also discovered that third-party libraries provided by two Chinese companies—Baidu and Salmonads— independently make use of the SD card as a covert channel, so that when an app can read the phone’s IMEI, it stores it for other apps that cannot. We found 159 apps with the potential to exploit this covert channel and empirically found 13 apps doing so.
  • We found one app that used picture metadata as a side channel to access precise location information despite
    not holding location permissions.

These deceptive practices allow developers to access users’ private data without consent, undermining user privacy and giving rise to both legal and ethical concerns. Data protection legislation around the world—including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) and consumer protection laws, such as the Federal Trade Commission Act—enforce transparency on the data collection, processing, and sharing practices of mobile applications.

While i’m not sure where the news articles for 1,300 from, the research does show a large number of apps actively circumventing Android permissions, as well as a fairly significant number of apps capable of doing so if the code is turned on essentially.

The main interesting one for me is the Chinese SDK used in a large number of apps which use covert channels to gain information an app is explicitly not allowed to see. The SDK does this by allowing apps which do have permissions to give information to apps which don’t have permissions. While the research shows that this seems to primarily be targeting the IMEI information it wouldn’t necessarily be limited to that if additional functionality was added.

The other interesting one was the one case of a photos app actively pulling off location information from pictures EXIF data and sending that data to third party servers.

Shutterfy and EXIF Metadata We observed that the Shutterfy app (com.shutterfy) sends precise geolocation data to its own server (apcmobile.thislife.com) without holding a location permission. Instead, it sent photo metadata from the photo library, which included the phone’s precise location in its exchangeable image fle format (EXIF) data. The app actually processed the image fle: it parsed the EXIF metadata—including location—into a JSON object with labelled latitude and longitude felds and transmitted it to their server.
While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user’s location. Whenever a new picture is taken by the user with geolocation enabled, any app with read access to the photo library (i.e., READ_EXTERNAL_STORAGE) can learn the user’s precise location when said picture was taken. Furthermore, it also allows obtaining historical geolocation fxes with timestamps from the user, which could later be used to infer sensitive information about that user.

2 Likes

#2

I’m about 2 layers of tin foil away from just going back to a razr and 5th gen ipod video.

Would be interesting to see what results would come from a similar study on apple. I’m still on a nexus 6p and iphones are starting to appeal to me.

2 Likes

#3

The interesting thing for me is what Google will do about it.

Apparently Google has said android Q will address these issues. It will be interesting to see if they address all issues or just some.

Baidu does have an iOS SDK but im not familiar enough with iOS to say if similar attacks described could also be applied to iOS via the same methods.

iOS has just upgraded its privacy coverage to alert users of things like bluetooth use from apps which expose location data via bleutooth location.

While I wouldn’t necessarily say look at this as an example of why Android is bad at privacy, Android by its nature just doesn’t have privacy as a primary focus in all areas. But that doesn’t mean they wont fix these issues when they are identified.

1 Like

#4

I think realistically, both are bad at privacy. The average person doesnt even understand the current permission system on android or what information gets collected. Its hard to do things ‘right’ though. I’m interested to know how apple tackles this stuff given they are touted more often than not as being the noob friendly option.

Those libre phone freetards might be onto something here.

they’ve been trying to address permission security issues since 6 or 7 (i think?) and its only made things more of a PITA. more hoops for people to root, more complexity the average user doesnt understand. its rough and i dont see an easy solution.

1 Like

#5

Am I the only one on this forum that remembers debian mobile edition? It was great. I had it installed on a motorola razer. I think the most complicated thing it ran was abiword or something, but it was still really cool. IceWM or maybe JWM… It was neat. Doesn’t exist anymore tho and is hard to find on the site now ;-;

Yall missed out. Now we got this mess.

1 Like

#6

so jsut dont install apps

0 Likes

#7

Better idea, use a hypervisor to run ubuntu and run desktop apps.

0 Likes

#8

The issues described (apps using edge cases to bypass permissions) is in theory an issues all OS’ will always suffer from, not necessarily because there not focused on privacy but because bugs exist.

On the privacy side its self as a whole, Androids issue is Googles primary product, which is your data. There’s no getting around that problem by the very nature of Google its self. Google and Apple have two similar mobile products but their core product is different.

You could see it in Google chat attempt with Allo. It was partially marketed as privacy respecting “incognito chat” and all that, however it was privacy focused in so much as all you r messages were sent to google for analysis for their chat bot. In comparisons to iMessage, messages can be stored on iCloud but that can be turned off with messages never being stored anywhere but your device, facetime not even having the option to store calls in the first place.

The approach that Apple and Google take for similar systems are slightly different, and id argue that Apples approach strikes a better balance between keeping your data on device and sending data to their systems than Googles approach of simple sending almost all data to Google.

To not go completely off track though, Apple will have issues like this in the future as well without much doubt. But it does show an interesting consideration, you might be happy with your OS, but what you install on it can sometimes have a bigger impact than it appears.

For how they track these issues specifically, i’m not sure. But for their privacy focused permissions options in general, the new bluetooth improvements i think are actually reasonably decent.

I mentioend it slightly in the iOS beta thread iOS 13 and iPadOS beta. Is anyone running it?

You get something like this which seems to me at least to have got the right balance of information to make an informed decision.

1 Like

#9

Interesting. I see no option to deny completely though.

1 Like

#10

App permissions in settings has this option for apps using location based services.

‘App location transparency’ in iOS 13 will allow notify you of location usage so you can change these if you want as well.

1 Like

#11

Wish we could block the internet access to the all/most apps without root access. I believe the older version of Android let you do that, but of course since Google is also interested in data-mining the crap out of our data, there is no easy out of the box way to block that. It just need to be exposed to the UI, the internet permission is already implemented.

0 Likes