InAPPropriate Permissions

Mata Hari, Belle Boyd, Kim Philby, Klaus Fuchs, Aldrich Ames, the redoubtable Sidney Reilly, and Android. Android? Why yes, the world’s best-selling mobile operating system has joined the ranks of infamous spies, albeit in a somewhat less glamorous fashion than that associated with others on the preceding list.

As reported by CNET, “Researchers from the International Computer Science Institute (ICSI) found up to 1,325 Android apps that were gathering data from devices even after people explicitly denied them permission.”  That’s correct. You may be deluding yourself into thinking you are controlling the privacy challenges associated with your cell phone, but the truth is far different.

Here’s the reality as laid out by CNET thanks to the work done by ICSI. “Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don’t want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered more than 1,000 apps that skirted restrictions, allowing them to gather precise geolocation data and phone identifiers behind your back.”

There are multiple ways the apps conspire against you, but the most chilling may be the one called “covert channels,” which means apps can work together to share user information. As defined in the ICSI report, “A covert channel is a more deliberate and intentional effort between two cooperating entities so that one with access to some data provides it to the other entity without access to the data in violation of the security mechanism.”

Notably, the report called out, among others, Chinese companies Baidu and Salmonads for using the SD card to store sensitive information that then is passed to apps that shouldn’t have access to it. Baidu offers a Hong Kong Disneyland Park app, which apparently will take you on a ride far outside the park. Given that there are hundreds of millions of devices that may be affected, this is something of a big deal.

The entire report is a tech heavy, but worthwhile read.

By Tom Davis, SDI Cyber Risk Practice

July 10, 2019