RESEARCHERS say that thousands of apps have found ways to cheat Android’s permissions system, phoning home device’s unique identifier and enough data to potentially reveal user’s location as well.
Even if users say “no” to one app when it asks for permission to see those personally identifying bits of data, it might not be enough: a second app with permissions approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. The two apps might not seem related, but researchers say that because they’re built using the same software development kits (SDK), they can access that data, and there’s evidence that the SDK owners are receiving it. It is like kids asking for dessert who is told “no” by one parent, so they ask the other parent.
Covert channels and side channels
That’s in addition to a number of side channel vulnerabilities the team found, some of which can send home the unique MAC addresses of networking chip and router, wireless access point, and more. “It’s pretty well-known now that’s a pretty good surrogate for location data,” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), when presenting the study at PrivacyCon.
The study also singles out photo app Shutterfly for sending actual GPS coordinates back to its servers without getting permission to track locations — by harvesting that data from photos’ EXIF metadata — though the company denied that it gathers that data without permission in a statement to CNET.
There are fixes coming for some of these issues in Android Q, according to the researchers, who say they notified Google about the vulnerabilities. (They point to this official Google page.) Yet, that may not help the many current-generation Android phones that won’t get the Android Q update.
The researchers think that Google should do more, possibly rolling out hotfixes within security updates in the meantime because it shouldn’t just be newer phone buyers who get protection. “Google is publicly claiming that privacy should not be a luxury good, but that very well appears to be what’s happening here,” said Egelman.
A recently discovered WhatsApp flaw made it possible for hackers to remotely install spyware on an iOS or Android device, without the phone’s user even knowing. WhatsApp has already patched the flaw, both on its server and through an update for the app.
The flaw and subsequent fix serve as an important reminder to double check that your device is free of any malicious apps.
Google Play Protect scans up to 50 billion apps every day in an attempt to identify and remove any bad apps. When Google first launched Play Protect, the service only scanned apps installed from the Play store. Now, it scans every app installed on your device, regardless of source. It’s a good idea to make sure Google Play Protect is enabled, learn how to scan on demand and double-check app updates before they are installed.
It is based on a modified version of the Linux kernel and other open source software, and is designed primarily for touchscreen mobile devices such as smartphones and tablets. In addition, Google has developed Android TV for televisions, Android Auto for cars, and Wear OS for wrist watches, each with a specialized user interface. Variants of Android are also used on game consoles, digital cameras, PCs and other electronics.
Initially developed by Android Inc., which Google bought in 2005, Android was unveiled in 2007, with the first commercial Android device launched in September 2008. The current stable version is Android 9 “Pie”, released in August 2018. Google released the first beta of the next release, Android Q, on Pixel phones in March 2019. The core Android source code is known as Android Open Source Project (AOSP), which is primarily licensed under the Apache License.
—Internet
