Android Apps Violate Permissions - But Who Cares, Right?

Tuesday, December 06, 2011

Ed Moyle

Fe3139b2aae983885565da7757da08a8

 

So there's a really interesting paper out about detecting "capability leaks" in Android smartphones courtesy of the folks over at North Carolina State.  

It's called (unsurprisingly enough) "Systematic Detection of Capability Leaks in Stock Android Smartphones" and it's a great read.

image

So these guys built a tool (called "woodpecker") that snakes around inside popular Android phone platforms looking for places where the phone is configured so as to violate the Android permission enforcement model.  

Go read it... you'd be surprised what they've found.

Now, I'm not going to steal their thunder and I highly recommend you go read the original source material, but to whet your appetite, take a look at this table from their report summarizing what they found:

(click image to enlarge)

image

Pretty wild, right?  Apparently most of the platforms out there have situations that do violate the permission model, thereby allowing apps to do stuff that maybe the user doesn't want.

Of course, I've made the point a few times that users tend not to care about permissions anyway.  I mean, the case of a Sudoku app that wants "full internet access" I can sort of get... maybe they want to show me ads or whatever.  

Or maybe I can forgive the fact that Skype wants to be able to "MANAGE THE ACCOUNTS LIST", "USE THE AUTHENTICATION CREDENTIALS OF AN ACCOUNT", "DISABLE KEYLOCK", and "DISCOVER KNOWN ACCOUNTS".  

Maybe... just maybe (because they're Skype), I'll (reluctantly) agree to let them "MODIFY GLOBAL SYSTEM SETTINGS" and "RETRIEVE RUNNING APPLICATIONS"... much though I'd rather they didn't.

But seriously... doesn't it scare anybody else that "Funny Jokes for Kids" needs "FINE (GPS) LOCATION", "FULL INTERNET ACCESS", and "READ PHONE STATE AND IDENTITY" (i.e., "An application with this permission can determine the phone number and serial number of this phone...")?  

Um, really?  So,  here's an app, with an install base of "100,000 - 500,000" (from the overview page on the market) that's targeted to "children 8 and under" that can:

  • Uniquely identify you (or your child),
  • Determine fine-grained geographical location, and
  • Communicate those details to whomever it wants

Nope... that's not scary at all.  Perfectly reasonable, right?  Bah. I blame the user community... and I include myself quite squarely in this category.  

For example, I routinely install apps with only a cursory glance at the permissions; the times that I happen to glance at what the app wants to run (that are, quite frankly, "crazysauce" in many cases), I usually install them anyway betting on the fact that it's probably innocuous.  

And I actually care about this stuff.  But "Joe Average" user?  Not likely to even read it... or care about it if they do.

Until users start to actually care about permissions, I'm not sure the enforcement model - and how well it does or doesn't work - is going to matter much.  But it would be nice to know it worked when/if they do.

Image source: oakcreekprintworks.com

Cross-posted from: Security Curve Weblog 

Possibly Related Articles:
9357
Webappsec->General
Information Security
Authentication Application Security Smart Phone Android Information Security Mobile Security Permissions
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.