Smartphones

Android's permission system: Does it really work?

Under certain conditions, Android allows applications to sidestep permissions. The bad guys probably know which ones. Do you?

I was troubled by some comments to a recent article of mine. It was about Android and how a certain security app was able to manipulate it. I double, even triple-check questionable sources. The thought of possibly provided inaccurate information scared every known demon out of me.

I only double-checked this source, so best get a third opinion. Since the information dealt with an Android app, I enlisted--once again--the help of fellow TechRepublic writer and experienced app developer, William J. Francis.

The "issue"

I called William and asked if I goofed by stating an app can remotely turn on various features of an Android-based smartphone without having permission. The conversation that ensued ended with more questions than answers. Not a good sign.

We determined to do more checking and get back together. We did, the next day, sharing what we learned about the issue. Now, we'd like to pass that information to you. William is the obvious expert, so I decided to do what I do best--ask questions.

Kassner: If Android is designed to prevent applications from taking this kind of liberty with device hardware, how are app developers getting around this? Francis: The software must be exploiting a security hole in the operating system. For example, the vulnerability built into the Power Control widget. After doing research, I managed to replicate the behavior. As further proof, I developed an app to check phones for this vulnerability. Here's how the exploit works.

When a user buys a smart phone, it comes with an operating system and a set of core applications installed. These "read-only" applications from the manufacturer are considered "safe". Therefore, restrictions given to programs installed by the user, do not apply to the core OS and "read-only" apps. In fact, core software components have elevated privileges, as they should--for the phone to function properly.

The problem arises when a core component exposes an interface that can be called by other software. Developers that are aware of this, write programs leveraging the exposed interface of the pre-installed application to turn on a feature they want to use, but do not have permission to.

Kassner: So, there are controls in place. But they're being sidestepped, right? Francis: I can’t say with certainty how any specific app in the market place operates under the hood, but, I was able to exploit one of these security holes in my testing and I think it’s reasonable to assume other developers are taking advantage of this sort of approach.

Interestingly, this sort of thing is not specific to Android. We see this same shortcoming on other smart phones and desktop operating systems. What is specific to Android, and makes this issue particularly nasty, is the time frame required to get fixes to the vulnerable devices.

When Windows 7 has an issue, Microsoft writes a patch and pushes it directly to their customers. When a security flaw in Android is discovered, Google or someone in the open-source community submits a fix, the patch is reviewed, and a new release is finally made.

However, that release does not get pushed from Google to the user's device. Instead, the release gets sent to the handset manufacturers, and finally to the phone carriers. If no party vetoes the patch along the way, the fix finally gets to the customers.

This process can take months. And, it's possible the revisions never become available for a particular phone, as both the handset manufacturer and the carrier have little incentive for doing so.

Kassner: What danger does this exploit present to a user? Francis: This particular exploit has a whole range of potentially-damaging fallout. My testing shows that beside GPS, an application if so constructed could control Wi-Fi, Bluetooth, and the phone's LCD backlight.

In an obvious attack scenario, a rogue application could drain the phone's battery in a few hours. In a calculated attack, a malicious app could track a user's whereabouts, possibly for days or week--without the user's knowledge or consent.

It's also worth pointing out that a resourceful developer could use this exploit for the user's benefit. And, many app developers are doing so. Whether they are using the same exploit I am or a different technique; they are using their knowledge in a responsible and benevolent manner that adds value to the user experience.

Unfortunately, as a smartphone owner myself, I think it's too risky to rely on the good intentions of every programmer.

Kassner: Are all phones susceptible to this take-over? Francis: They are not. And, it's tough to say how many phones are at risk. The reason is two-fold. First, not all versions of the Android operating system include the component which exposes this particular security hole.

Second, handset manufacturers as well as carriers often exercise their right to customize Android before releasing a phone. This customization often includes removal of "read only" applications in order to replace them with manufacturer/carrier specific versions.

It's hard to put a firm number on the amount of susceptible phones. If pressed, I'd speculate there are more vulnerable phones than not, based on information from Google. If you want to be sure about your device, I recommend installing the free application I created and check for yourself.

R U @ RISK?

William's app is called "R U @ RISK?" and is available on Android Market for direct installation. Or you can get it here from TechRepublic and side-load it using an app like Easy Installer.

I had to know. So I installed R U @ RISK?, paying close attention to the permissions. As you can see, no permissions were asked for.

Once R U @ RISK? loaded, I scanned the app for malware. I wanted to make sure William wasn't messing with me. Next, I nervously opened R U @ RISK and hit the "Check Now" button. Thankfully, my phone appeared to be safe.

The next phone I tested was not.

For us "prove it to me" types, William added the ability to "See for yourself!" I punched the "Turn on GPS" button and a cute antenna appeared. Hmm. Is it really turned on, though?

Sure enough. The pull-down clearly showed that GPS was enabled.

Still not satisfied--I'm a tough sell. Besides, the Power Control widget contains the security flaw. So I started GPS Test, a nifty app that produces all sorts of information. The GPS was indeed active.

What does this mean?

There are two findings we need to consider:

  • Valid apps with appropriate permission are able to turn on features such as GPS without asking the user.
  • Applications so constructed can turn on features without permission and do not require user intervention.

Matters are even more complicated. R U @ RISK? leverages the Power Control widget flaw. So William only tests that. He wanted me to stress it is possible that certain phones could pass his test, but still be vulnerable. Why? A developer may have found another weak link into Android. Or the version of Android on that particular phone works differently.

Final thoughts

I profess to be paranoid, almost to a fault. Remember, I didn't trust William. Yet, I was hoping I didn't have to worry about whether my phone is listening to or locating me without my knowledge.

Is it time to put hard switches back into phones?

Update: My son and most ardent critic said I messed up. It would have been more impressive if the GPS receiver activated upon opening R U @ RISK?. That sounded interesting and William said it is entirely possible. But, we decided not to. The reason: If the app was mistakenly left active, the phone's battery would drain in short order. Not something we want responsibility for.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

125 comments
ron.park.nl
ron.park.nl

After downloading this app in september 2013 and wanting to install it, the app _does_ ask for some permissions for the 'Security utility':

Privacy

- read telephone status and ID

- change or remove content of USB-storage

Device access

- test acccess to secured data storage

(messages translated from Dutch Android 4.2.2 install on Samsung Galaxy Tab3)

As this clearly conflicts with the statement above, ("As you can see, no permissions were asked for."), what could this mean? 

- Different interpretation of installation by Android 4.2.2. ?

- is it still safe to use this app ?

- are the results still valid ?

- have more recent apps been available, checking new threats to newer releases of Android?

- could you share your latest insights on this very important subject with us?


I think many of us would appreciate recent developments in this field! 

Thanks

Ron

ohhoes
ohhoes

It should not present permission to users in an "all-or-nothing" manner. I can accept a video player to access my external storage but it's pointless it needs to send SMS. To fix it, Google should present the list with a checkbox next to each permission. Such that user can permit whatever makes sense and deny nonsense ones.

jayshadee
jayshadee

I just ran the test on mine,it indicated I'm not at risk. I'm running Android 2.3.4 .

dkathrens77
dkathrens77

I downloaded the app and tried it. I am "at risk:? yeah, it was able to turn on my GPS. I just got done replacing this Comet because my first one was eating batteries like crazy, and I kept noticing that my GPS, among other battery eating things (like browser, Google Search, speech input, etc.), was repeatedly being turned on by SOMETHING. That was a rooted phone, I haven't rooted the new one yet. It's ALWAYS bothered me how these free apps all seem to REQUIRE "full internet access". Presumably only so they can ply me with advertisements. Am I going to have to just unload all these freebie apps? or become some uber-Geek and reverse engineer them?

chris
chris

Coming to this party late, but I just started using my Droid Bionic, OS 2.3.4. R U @ Risk showed it does not pass the security test. Like another poster mentioned earlier in this blog, no GPS appeared at the top where it usually does, but my GPS Toggle widget was turned ON. I view Permissions for every app I consider in the Android Market, and am increasingly suspicious of the number of apps that seek permissions they do not appear to need to provide their service. For example, why would a wallpaper app need permissions for Read & Write Contact Data, Phone State & Identity, and Prevent Device from Sleeping? I found no help in Android Market to ease my mind, nor any comments on the vetting process for apps released on the market. I think we need to hear a lot more squeaky wheels before Google will put the security grease gun to work. Thanks again for all the help you provide in your articles.

debdebtig
debdebtig

The Charge is at risk *but* when I selected the 'Show Me' link it prompted me to ask if I wanted to turn on the GPS, I said no and it didn't turn on. So, I guess I'm only partly at risk?

crz6662
crz6662

Rooted,running 2.2.1-FAIL.....

Dark Force
Dark Force

Android :2.3.4 Kernel: 2.6.32.9-00032-... Build: 4.5.1A-1_SUN-154.5 System: 45.2.5... Checked and it failed. Checked for system updates; one was available from Motorola that brought it up to the version listed above; It looks like it updated the Kernel, Build, & System versions. It stayed Android v2.3.4. After the update, it failed again.

Free Webapps
Free Webapps

I think I understand the general idea but could you clarify something for me. This was just to prove that a app doesn't have to list all actual permissions in the list correct? I ran it on my Dell Streak (5in) purchased unlock from Dell Direct running Froyo 2.2. I did Root the device also. I ran the ru@risk? app and I'm at risk. (0_0) I figured this much seeing as I do have quite a few apps installed on my device not available in the market place. So I started testing those apps to see if any of those enable the GPS. I verify status via GPS power widget and GPS test listed in the article. Background: every app installed that allows me access to disable the tracking/location feature, I disable tracking/location. I even have it off within the android settings. Of course I do enable the GPS via the power widget when using Google Maps and Nav. Well none of the "unknown source" apps enable the GPS nor did none of the apps installed from the market place including G-Maps and facebook. So my question(s) are: Why is my device at risk? Is it because its rooted? Is it because its susceptible to malware although the several anti-... apps (McAfee, Norton, Kaspersky, AVG, Lookout) says its all clear? Does having my device setup the way I have it really prevent misleading apps from enabling it? Have I been just dodging several hundred bullets and getting very lucky? or Is it a security flaw within Froyo 2.2 and I should update to the latest available version Dell pushed? Thanks again and great job.

d_g_l_s
d_g_l_s

Michael, as usual you are right on target and have pushed the right button. I have tested my Nexus S and found it was secure to my own relief. Keep up the good work.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

There have been a couple posts about AV not noticing the GPS being turned on. In my experience AV is designed to find and stop malicious software. It does not look for security vulnerabilities and I am not sure that an AV should look for an exposed API's anyway. If an application decides to expose a valid hook then in my opinion the AV should assume that was intentional and not flag it. This means that when it is used an alert should not trigger. I am not saying that this is not a security vulnerability, but rather that AV should not assume that any exposed API is a vulnerability. Bill

roaldly
roaldly

R U @ Riks says: Vulnerable. SW build: 2.1.1.A.0.6, kernel: 2.6.29 Pressed the "Turn on GPS" button: No GPS icon on top of the screen, but "GPS test" and "Settings" show GPS on. -R

JakeRader
JakeRader

The test gave a false positive. According to the GPS Test program the GPS was not active. I verified this by attempting to check my position in Google maps.

kdpawson
kdpawson

Pops up with a prompt saying "Data transmission charges may apply..." and I have to agree or disagree. If I disagree the GPS stays off, not the best but at least if I see this I can say hello what's going on here. What else can we do to protect Android devices?

sgriffithsnz
sgriffithsnz

Sadly, this device failed also. It's running Froyo though, as the Gingerbread update hasn't come to us yet for this device, although by the look of some of the responses this may not matter. From memory, LG took a more "hands off" approach to customizations of this handset which may account for the failure. As I've installed the updates feature on my laptop and can update the phone whenever LG releases updates, perhaps they need some leaning on them to send an update out which fixes (at the very least) that security flaw? Do other manufacturers ship update software for their handsets that could be used in this fashion? Is the biggest part of this problem the fact that telcos/manufacturers have no responsibilities to their customer base to address things like this?

bimhau
bimhau

Motorola ATRIX, Android 2.3.4 kernel 2.6.32.9-blah-blah. Vulnerable, and GPS turned on...(sigh).

hyoi
hyoi

Thank you for the research, article, and app Michael. I had started to mostly ignore TR since most of the articles were poorly written, more about consumer tech than IT, or were significantly biased. This was a refreshing change. I'll be starting to see if there is more useful information here again.

SarcasmDoesn'tReadWell
SarcasmDoesn'tReadWell

I think for most of us, who are not secret agents or being chased by someone, this is not really a big deal. What would be the real extent of someone knowing where I am? Hell people opt into that with facebook all the time. Call me when you have discovered they can access my CC information from checkout or something.

EJK
EJK

So Lookout can scan an app and not realize it has this hole -- I wonder how many other things get missed by security apps.

Michael Kassner
Michael Kassner

As for the pre-installed apps, I am not sure. I can't remove them from my phone, unless I root it. As for the free apps, I avoid them for the reason you mention.

authorwjf
authorwjf

It frustrating how great (and not inexpensive) phones like the Bionic are still coming to market with these kind of known flaws--especially after Google has finally come forward with a fix. It hints at a deeper problem with the Android ecosystem than a single security hole that slipped under the radar.

Michael Kassner
Michael Kassner

It seems that is a good way for it to work. I have a Samsung Infuse and I wish it did that, but it doesn't.

Michael Kassner
Michael Kassner

Your comments are informative and helpful. Appreciate you taking the time to respond.

authorwjf
authorwjf

You're device is marked at risk because it has an entry point in the OS which allows others apps, should they choose to, exploit your GPS, WIFI, BT, and LCD. This doesn't mean you have apps installed that are doing this, just that your Dell Streak as it is currently configured is susceptible to this kind of attack. If there is a newer OS available than 2.2 for your device I suggest updating. Google has a fix for this vulnerability in some later versions of Android.

seanferd
seanferd

It's a flaw. I'm not sure what you expect an AV to tell you about this. If AVs worked like that, no operating system would have holes, because the developers would know where they all are by running an AV.

Michael Kassner
Michael Kassner

Your comment is appreciated. I like your analogy as well. William and I are working on a nifty new article. Stay tuned,

Michael Kassner
Michael Kassner

Our app pretty much shows that applications can be bad and not trip AV software. You bring up a good point. It suggests that a different thought process may be in order.

authorwjf
authorwjf

Obviously we couldn't get our hands on every phone model when writing the app--but this is the first report of a false positive we've received and according to the market console we've had about 700 installs just today. I will have to see if I can't get my hands on an Aria! Nice to know that not every HTC phone is at risk. Thanks for the heads up, Jake. We appreciate the feedback.

Michael Kassner
Michael Kassner

Just to make sure, Google Maps located you? I think this is the first mention of a false positive. Thanks for bringing it to our attention.

Michael Kassner
Michael Kassner

That is a first for me. GPS really has no bearing on data transmission, as far as I know. Thanks for sharing what you found.

JCitizen
JCitizen

responsibilities or not, we consumers need to keep the pressure on them.

Michael Kassner
Michael Kassner

We are finding that the Android version that supposedly fixed this (2.3.X) is not fixing it.

Michael Kassner
Michael Kassner

You have one of the newest versions. So, I appreciate your input.

Michael Kassner
Michael Kassner

Your comment is appreciated. William and I have lots of things we are looking into. Hope you do stick around.

seanferd
seanferd

Do you want some random person to be able to know where you child is at all times, for example? I'm also surprised that people don't seem to understand that this is a generic security problem with permissions, not limited to turning on GPS, and not limited what is tested for in the application, and not limited to what is discussed in the article. Fine, if you don't care, but it is like some of you are being willfully ignorant.

authorwjf
authorwjf

While I agree with what you are saying keep in mind this demonstration is meant to be a proof-of-concept. An app in the wild was recently reported by security firm Sophos to use a similar permission by-pass. In that case, the permission bypassed was not the GPS but the INSTALL_PACKAGES permission. The package the rogue app installs without the user's permission is a root take-over of your phone. I like Android. I jumped on-board with the original G1 and continue to be a devoted fan. But as the OS continues to mature and gain significant market share I'd like to see it cleaned up. If articles like Michael's help bring this about I am grateful.

Michael Kassner
Michael Kassner

William and I are working on that. It seems there is a huge void in that regard.

JCitizen
JCitizen

that rooted phones cannot be expected to provide much in security afterward. But then - I know little about the chip architecture or security of mobile devices; so I digress.

Free Webapps
Free Webapps

To the latest Froyo then. I stated the AV stuff to verify the apps i had installed were clean thinking if I did have an malware app it was or would give an at risk also. So pretty much if it's a flaw with Dells Froyo 2.2, then the only potential fix would be to update correct? Thanks seanferd.

AnsuGisalas
AnsuGisalas

What's it called, theurgy... no ... heresy... no...Ah, heuristics is the word I am looking for. Not AV, AntiMalware... So, does MBAM have mobile versions yet? Would be needed.

kdpawson
kdpawson

I'm in Australia and maybe it's different here, but I see an increase in data usage if my GPS is on and I'm using say Google Maps to navigate somewhere, unless that's just Google Maps. In any case whenever I turn my GPS on that warning always appears, which I now really like... I'm sure most other users don't like it here and they probably just leave the GPS on all the time ;-)

sgriffithsnz
sgriffithsnz

F-Secure also doesn't pick anything up (installed on my LG Optimus 2x). The question is - what are the "security apps" scanning for? A hole doesn't constitute malware, so I guess it would be excluded. And unless it hooked into the OS (possibly also creating a weak point?), it wouldn't know/care if an app wanted to make a call to an app with elevated privelege. Is it an issue then, that the original apps in question were given these elevated priveleges, which should be engineered out? Just some thoughts on the fly :)

JCitizen
JCitizen

that is just too much to expect from a compact AV utility on a smartphone. Maybe when the dual core chips come out, I'll have a different opinion - but once again - I prefer stand-alone apps.

JCitizen
JCitizen

I've seen too many of them try to become a catch all or "Suite" only to end up so bloated they no longer work. I think we ought to encourage the developers of RU@RISK to become the next Secunia PSI!! :) I prefer standalone products - this has been a winner for me for a long time.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I think that it would be possible to develop malware that only uses the permissions that it asked for. While that may be one thing to look for it may not be granular enough. Bill

AnsuGisalas
AnsuGisalas

I reckon they're right about to start doing that...

Michael Kassner
Michael Kassner

Right now R U @ RISK? appears to be acting correctly to security apps. Possibly, security apps are not looking at the relation between permissions asked and permissions used.

AnsuGisalas
AnsuGisalas

It took me 10 minutes to get that damn word off the tip of my tongue. It was extraordinary, several times I knew I'd gotten it, only to feel it slip the hook and escape back into the murk. Hence the record of the struggle.

JCitizen
JCitizen

"greyware". This is something Trend Micro used to do years ago, and was very useful to our organization. (maybe not so now)

Michael Kassner
Michael Kassner

I think our app is assumed to be a legal call on the Power Control feature with most phones. William can expand on it.