The CoolIris Android gallery, the stock gallery app used in many devices running Android 2.1 - 2.3, has been found to store unencrypted copies of complete addresses that could theoretically be accessed and transmitted by a malicious app with no system permissions. The issue came to light when we started investigating a security issue in Android found by Paul Brodeur from Leviathan Security Group. Brodeur created an app named No Permissions which highlights flaws in Android's permission system that would allow an app to access your data.
Android keeps apps in a "sandbox," and makes them ask for permission to access things like the internet, phone calls, location, or contacts. If you don't grant an app access to something, you can rest safe knowing that it will never access it. Brodeur uncovered a long list of things that, without permissions, a malicious app could access.
The first issue highlighted by the report is file security. No Permissions is able to scan your device's storage (either a physical SD card or an "internal SD Card" or eMMC) and return a list of any non-hidden files, the contents of which could then be scanned for potentially sensitive information. It was also possible to return a list of installed applications, which could aid a malicious app in knowing where to look for data. Although the app is only a proof-of-concept, the techniques mentioned in the report are capable of accessing this data.
So what sort of data would be available to a malicious app? Well, we took a nose around a few devices to see what was on offer. The most obvious issue would be photos, which was an issue raised some time ago. But we were also able to find our Google account e-mail address, Spotify ID, and a list of addresses.
door number, street, town, zip code, all unencrypted
The list was found inside the cache of com.cooliris.media, which was the default gallery for many Android phones between Eclair and Gingerbread, including Samsung, LG, and Nexus class devices (HTC devices use a different gallery, as does the Motorola Razr that we tested). Stored completely unencrypted in a file called Chunk_0 was a list of locations which matched those of our home, work, family, significant other, friends, and even holiday destinations. It seems to have been generated by Picasa Web Albums — this information matches the locations of Geotags in our private albums, but it's the manner in which this information is both presented and stored that is worrying.
First, there is no reason for the application to be caching locations of private photos completely unencrypted. Second, the locations aren't erroneous GPS coordinates — they're full addresses: door number, street, town, zip code, and country. This was information that we'd never given Google, either on a phone or within Picasa. To make matters worse, Picasa Web Album syncing had been switched off a week before the information was found. When we tested the issue on a device in our New York office, a new entry appeared in Chunk_0 — 1-3 W 18th St Manhattan, NY 10003 New York — which appears to be what Google thinks is our current location (it's close). We found the same behavior on four devices synced to two separate Google accounts. So an app with ill intent could potentially uncover our address and location, alongside our photos and user IDs, but what next?
'No Permissions' uses a simple but effective way to circumvent Android's data permissions
No Permissions uses a simple but effective way to circumvent Android's data permissions. While the app itself is incapable of accessing the internet, it can launch Android's built-in browser to any page it choses. With the internet permission established via the browser, it could then send personal data to a remote location, although clearly the user would be aware that the browser was opened.
There are many ways these holes could be exploited in the wild. One implementation that comes to mind is a simple free calculator app, designed to launch the built-in browser to display the solution. While displaying the answer to 2 + 2, it could forward personal data to an external server, without permissions. The browser would continue sending data in the background until it was closed, unless a user navigated away from the page.
An example that has more scope to be damaging, however, would be to apply the data harvesting technique to an app with internet permission. Adding the code to a free game, for example, and masquerading the need for data as a high scores service, would allow the same data to be transferred without the need for an external browser. Google recently implemented a malware scanner that should be able to catch nefarious activity like this, but it's still a hole that shouldn't exist in the first place.
Google is planning on beefing up its app permissions system
After the aforementioned photo scare, Google said that it was "considering adding a permission for apps to access images," and we see no reason why it couldn't add a permission to block an app from viewing files in other app's directories either. Let's just hope it takes action sooner rather than later.
Google declined to comment on any of the issues mentioned in this report.