12 Apr 2012
Paul Brodeur, a Leviathan Security Group researcher, has developed a “No Permissions” app for Google’s Android mobile OS demonstrating that sensitive personal information from your device can still be accessed.
This proof-of-concept app was able to access scan the SD Card for a list of all non-hidden files and also track down the OpenVPN certificates that have been stored there.
“It's worth noting that even though the Android developer docs state that there's no security enforced upon files stored on external storage, many things are stored on the SD Card, including photos, backups, and any external configuration files -- on my own device, I found that OpenVPN certificates were stored on the SD card (which I promptly corrected!),” said Paul Brodeur.
“No Permissions” also scanned for all apps and readable files on the device, effectively providing a listing with all the applications that have weak-permission vulnerabilities that can purposely be exploited.
The third test involved grabbing advanced information about the device and although the IMEI (International Mobile Equipment Identity) and IMSI (International Mobile Subscriber Identity) were safe, “No Permissions” still managed to get the GSM & SIM vendor ID from the handset.
Additional information about the ROM and kernel version was also revealed and the randomly generated 64-bit Android ID (unique to every device) has been exposed as well.
Arguing that all of this data can easily be transmitted via browser using GET parameters in a URI, Paul Brodeur has proven that even apps with no permissions can still access sensitive and personal information from your Android-running handset.