| || |
Not like many care.. but is this a huge security hole?
I'm here today hoping to acquire useful information and knowledge from you good folks. I think I may have been misled by a misconception of mine, and I need to get to the bottom of it.
I'm very security conscious. That is, I am as secure as can be to the best of my knowledge. I have 2-step verification turned on on about 8 different services, and I vigorously go through android app permission details, for example. I take security seriously and try my best to stay safe. Some don't care and some do, whatever. Personal choice.
One (misconception?) I've had about permissions is that unless an app has an internet permission, specifically, "Full Internet Access", it cannot send (upload) data to the internet. So for example, when I installed the app "Dash Notifier" (I'm not saying this app is malicious, merely discussing it as an example of a possible situation) which is a Dash Clock Widget extension, I didn't mind giving it access to my notifications at the OS level. It was a slight red flag, as it always should be, but then again this was needed for the app to perform its function. Fair enough. It only had "prevent phone from sleeping" as a permission anyway, so it CAN'T upload data to the internet, or a server, right? Right??
Well, I'm not so sure anymore. My friend factory reset their android device, and I recommended they install the Dash Notifier extension. After all, this friend already had the Dash Clock Widget. So they did install it, and upon setup it asked for this Notifications access, which pretty much sells the app your soul. Again, a red flag arises naturally, but I said I must not have allowed this app on my device if it was a security risk.
So I do my double check and check the permissions.. Just "prevent phone from sleeping." So I said okay, can't do anything with the information I approved for it anyway. But is that really the case, I asked? So I found another app I had installed which required "Full Internet Access". I clicked on it for a description and it said "Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
I've read this a bunch of times and always found it vague (aren't they all?). But this time I really got to thinking "Can apps really send out data without internet permissions at all? Without ANY permissions for that matter?" (Granted that they have access to this information through other permissions.)
So I did some quick research and at the end of it, I found a blog post by Trend Micro at this link here: Bypassing Android Permissions: What You Need to Know
So far I haven't found any sources which support a counter argument to this blog, which is why I'm here personally asking you folks for some genuine knowledge on the matter, for myself and anyone else interested.
This means any app mustn't request any permissions at all, yet can send data to a server ready to accept this data through a request to send data through the browser.
Misusing the Default Browser to Upload Information
In Android, an app can launch another apps component using an intent, an abstract data structure that describes the operation to be executed. Each intent consists of action (the action to be performed) and data required to execute the action. When an app sends out an intent, the mobile OS chooses the appropriate app to handle it.
An intent with action*Intent.ACTION_VIEW, for example, paired with data*Uri.parse(http://www.google.com)indicates
that the app wants to view the*Googlewebpage. If this intent is sent out, the mobile OS determines the best choice to launch the browser.
With this in mind, a shady developer can develop an app with an intent to open a browser and upload any stolen data to the desired server. Should a malicious app want to upload the*Device ID*to serverhttp://example.com, the developer can craft the intent this way:
Since the browser opens the URL, the malicious app does not need to declare*android.permission.INTERNETbecause this was already acquired by the browser app.
This pretty much is my worst fear in terms of security. I understand apps need internet permissions to receive data and to display ads and whatnot. But if what I'm stumbling upon here is true it means that every single app on my phone, on your phone, on the Play Store, can send out any of our information to a server. This can't possible be? This seems like a huge security hole to me. How can we possibly protect ourselves from any risk? The back door feels wide open.
And apps need these permissions. For example who doesn't use apps like Whatsapp or Viber, who has access to contacts and lots of other personal information, which puts not only you at risk but others too! If you don't have these apps that's okay, take your pick, you're using SOMETHING that requests personal information. There's always something. At the end of the day we need our phones to work for us but we need them to do it safely.
So who knows anything about this? Anything legitament? No more guesses, just facts.
Thanks for reading, I know it was a long one.
Posted via Android Central App