Android permissions glitch allows eavesdropping, data theft

Android permissions lockResearchers have found multiple holes in Android phones’ permissions-based security that would allow a hacker to snatch data, monitor geolocation, send SMS messages, and even eavesdrop on conversations.

A group of security researchers from North Carolina State University found the glitches in eight handsets from HTC, Motorola, Samsung and Google.

The researchers found “explicit capability leaks” that would allow hackers to bypass key security defenses of Android that require users to grant permission to apps before those apps gain access to personal information and functions such as texting.

The glitchy code lies within interfaces and services added by the phone manufacturers to beef up stock firmware from Google.

The researchers were “surprised to find” the phones lying down on the permissions front in the war against intrusion, they said in a paper due to be presented next year at the Network and Distributed System Security Symposium.

In this paper, we systematically study eight popular Android smartphones from leading manufacturers, including HTC, Motorola, and Samsung and are surprised to find out these stock phone images do not properly enforce the permission-based security model. Specifically, several privileged (or dangerous) permissions that protect access to sensitive user data or phone features are unsafely exposed to other apps which do not need to request these permissions for the actual use.

These capability leaks constitute “a tangible security weakness for many Android smartphones in the market today,” they said.

And, they added, the snazzier the phone, the buggier the picture, given that the more pre-loaded apps are present, the more likely the gadget is to have explicit capability leaks.

These are the eight Android smartphones they tested and found to be at risk:

* Legend
* EVO 4G
* Wildfire S

* Droid
* Droid X

* Epic 4G

* Nexus One
* Nexus S

As if all this weren’t grim enough, the researchers note that the tool they’re using to validate the smartphones, which they’ve dubbed Woodpecker, has a number of limitations.

For one, Woodpecker doesn’t handle native code; it only handles bytecode from Dalvik, the process virtual machine in the Android operating system that runs Android apps.

Woodpecker is also limited to handling 13 defined permissions, although many more exist, and apps are free to define new ones.

“Extending the system to handle more predefined permissions is expected to produce much the same results,” the researchers say.

Not enough? There’s more.

Adding support for app-defined permissions will lead to another class of capability leaks altogether: namely, chained capability leaks, where a permission might be safely passed from one app to a second app, which then unsafely passes it on along to a third app.

Android bugAnother rug to lift to look for more bugs is among third-party apps, given that the security researches only examined pre-loaded apps in the smartphones’ firmware.

The researchers note that capability leaks — particularly explicit ones — on phone images “are of great interest to malicious third parties.” Implicit leaks are fairly rare, they say, and more likely tied to software engineering defects than constituting actual security risks.

But implicit leaks could be due for their day in the sun when it comes to third-party apps, since they could open the smartphones up to “collusion attacks,” the researchers said.

A cohort of seemingly innocuous apps could conspire together to perform malicious activities and the user may not be informed of the true scope of their permissions within the system.

Wasn’t it just last week that Google’s Open Source Programs Manager, Chris DiBona, was railing against vendors of Android anti-virus software (and any minion scurrilous enough to work for one), summing up the ragged lot as being likely “charlatans and scammers?”

Yes, yes, I do believe it was last week that Mr. DiBona told such “scammers” that if they worked selling virus protection “for android, rim or IOS you should be ashamed of yourself [sic].”

Should the North Carolina State University researchers, Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang, bow their heads and slink home in shame for finding the current crop of Android bugs?

Well, if their cheeks do burn red, I hope they don’t slink out of sight before they present their paper and roll out an even better version of Woodpecker.