There's been a lot of research in the Android security space. The most notable examples are Jon Oberheide's fake Twilight app, Georgia Weidman's SMS bot, and the numerous clever root exploits. Recently in the mainstream media, there's been buzz about apps (allegedly) misusing permissions; some of these apps include Facebook, Skype, Path, and just about every advertisement library.
One question that was posed internally was: what data can an app access when it has no permissions? I thought this was an interesting question, so I decided to make a proof-of-concept app to explore this idea. Some previous work had been demonstrated by Thomas Cannon of viaForensics. I wanted to develop that work further through a discussion backed by source code.
The following three actions can be completed by pressing the corresponding button in the app:
The first privileged access area is the SD Card. Every application has at least read-only access to the contents of this external storage. ''No Permissions'' scans the /sdcard directory and returns a list of all non-hidden files. While it's possible to fetch the contents of all those files, I’ll leave it to someone else to decide what files should be grabbed and which are going to be boring. It's worth noting that even though the Android developer docs state that there's no security enforced upon files stored on external storage, many things are stored on the SD Card, including photos, backups, and any external configuration files -- on my own device, I found that OpenVPN certificates were stored on the SD card (which I promptly corrected!)
Secondly, I can fetch the /data/system/packages.list file to determine what apps are currently installed on the device. From there, I can scan each directory used by those applications to determine whether sensitive data can be read from those directories. In the ‘’No Permissions’’ app, this functionality returns a list of installed apps and a list of any readable files. When testing this on the Android emulator, I am only able to read the app's own directory, but when testing on a real device, I am able to read some files belonging to other apps. This feature could be used to find apps with weak-permission vulnerabilities, such as those that were reported in Skype last year.
The third action I was able to take was to grab identifiable information about the device itself. Without the PHONE_STATE permission, it's not possible to read the IMEI or IMSI, however the GSM & SIM vendor IDs can still be read. The /proc/version pseudofile, which reveals the kernel version and possibly the name of the custom ROM installed, can also be read. In addition to those identifying values, the app reads the Android ID, which is a 64-bit number randomly generated when a device is first booted and remains constant thereafter. More information about the Android ID is available in the Android Developer Docs.
Though this app uses buttons to activate the three different actions detailed above, it's trivial for any installed app to execute these actions without any user interaction.
What can be done with the data once it’s collected? Without the INTERNET permission, how can it be sent anywhere? While it's true that most network access is restricted, there is one network call that can be made without any permissions: the URI ACTION_VIEW Intent opens a browser. By passing data via GET parameters in a URI, the browser will exfiltrate any collected data. In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls.