Google IO 2015 Coverage

Apps without permissions: Should you be worried about Android’s latest security scare?

The latest security threat for the Android world deals with apps that don’t require permissions. Paul Brodeur from Leviathan reported about the possibility that an app with no permissions could actually access your data from your physical  or internal SD card. An app such as this could access all non-hidden files and scan them for any information, including any sensitive info. Since the app itself doesn’t have permission to access the internet, it would have to open the browser to send the information. Not an easy task without you knowing it’s being done, but someone could come up with some sort of trick.

Lets be honest folks, should you be keeping any data on your SD card that is sensitive? Forget about apps, what happens if you misplace your phone or it gets into the wrong hands? Anybody could access your SD card to get to those contents. Okay so you’re not saving anything sensitive to your SD card, is there any other potential?

Well the folks at The Verge came up with an issue with photos. If your geolocation is saved with every photo you take, then an app such as this could potentially find out where you’ve been like your home, work, etc. To be honest, again, if you lose your phone, whomever found it could do the same. Hopefully they will use that information in a productive manner by bringing your phone back, but again, if you don’t want people to ever find out where you’ve been, then turn off geotagging on your device. Every phone is different, but you should find the settings in your camera app.

This is just another scare that you should be aware if, but lets not panic. Our phones are important to us, but you have to use your common sense about what data you keep on it.

sources: theverge and leviathan


  • Ickyfehmleh

    Not every device has the ability to have an SDcard — some, like the Galaxy Nexus, only have onboard storage; one has no choice but to store potentially sensitive data on the phone.

    There would be really nothing stopping two applications working in tandem, one gleaning the information and writing it out to a file, the other (with some sort of communication permissions) looks for that file and shares it.  This scenario would be especially troublesome to “rooted” users, since applications could request superuser permissions ostensibly to do something awesome but instead could traverse the filesystem with nothing standing in its way.

    • derekmorr

      What’s worse is that on devices without a physical SD card (like the Galaxy Nexus), Android mounts /mnt/sdcard as a FUSE filesystem and turns off permission checking. So they emulate the bug rather than fix it.