At the end of May, François Pelligrini and Mathieu Cunche, co-presidents of the jury of the CNIL-Inria Prize, presented the prize for the protection of privacy to a Spanish-American research group for their article ” 50 Ways To Leak Your Data: An Exploration Of Bypassing Android Permissions System Apps ” Presented at the Unsenix Security conference in 2019, this study carefully analyzes the ways in which applications on Android bypass the protections put in place by the operating system and thus access information without the knowledge of users, or even against their choices.
Although smartphone platforms implement permission-based models to protect access to sensitive data and system resources, apps can bypass them and then access protected data without user consent using both secret and secondary channels.
Winner of the 2021 CNIL-Inria Award, “50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System” reveals how some apps actively circumvent Android’s permissions system to access sensitive user data.
Joel Reardon, one of the authors of the study, states:
“My favorite example comes from OpenX. They had a really amazing block of code, because it wasn’t obfuscated, so I could read it. It first checked whether the user had permission to access the router’s MAC address. If the user could access the router’s MAC address, he was doing it right. But if you didn’t have permission to access the MAC address, it noticed it and called another function, called getMacAddressFromARP, which took advantage of the fact that the same information is available in the system’s ARP cache. Instead of reporting the vulnerability to Google and fixing it, OpenX exploited it, only when it didn’t have permission to legitimately obtain it. “
According to the study authors, two main types of data were targeted: persistent identifiers and geolocation data.
Persistent identifiers refer to serial numbers or a telephone number. This data is often collected by advertising companies, as it allows them to take a unique fingerprint of a person’s device across all apps they use, regardless of where they use it.
Joel Reardon assures:
“Although these credentials today tend to be locked with various types of security permissions, applications continue to find clever ways to bypass these permissions in order to access data. “
The other main type of data targeted is location data, which can take the form of precise GPS coordinates or MAC or SSID addresses of routers.
Joel Reardon explains:
“These tend to have a number of secondary access channels, just because things like router MAC addresses were never meant to be secret or represent location, but gradually became. “
While all of this data could be legitimately collected simply by asking permission to do so, this illegitimate appropriation of data is problematic as it effectively constitutes a fundamental violation of the notions of notification and consent.
Joel Reardon adds:
“Apps provide notifications via permission requests, and users give consent by accepting the terms and installing the app. By not asking for permission and covertly obtaining the same information through a secondary or covert channel, apps can pretend to be respectful consumers. of privacy and mislead. “
An even more serious problem was raised during this study: the use of these persistent identifiers.
Joel Reardon said:
“We have noticed that a number of apps save device serial numbers, such as MAC address or IMEI, on the SD card so that other apps that don’t have permission to access them can read them.”
A significant impact on the protection of personal data.
The team of researchers promptly reported each flaw to Google, through its vulnerability program, which developed fixes and released them in Android 10. On the other hand, the article also received the USENIX Security 2019 Distinguished Paper Award. , and the research results data is now being used by several regulators, who are actively investigating many of the companies responsible for these deceptive practices. The Federal Trade Commission took action against Open in 2021.
The results of the study were cited in the third edition of the book Safety engineering by Ross Anderson, in a section on privacy and security issues associated with side channels. Joel Reardon concludes:
” I think more regulatory involvement is the only way to send a message about what’s unacceptable in the digital space, especially as mobile phone apps become more intertwined with civic space. “
Sources of the article:
“50 Ways to Leak Your Data: An Exploration of Android Permissions System App Circumvention”
Joel Reardon, University of Calgary / AppCensus Inc .; Álvaro Feal, IMDEA Networks Institute / Universidad Carlos III Madrid; Primal Wijesekera, UC Berkeley / ICSI; Amit Elazari Bar On, UC Berkeley; Narseo Vallina-Rodriguez, IMDEA Networks Institute / ICSI / AppCensus Inc .; Serge Egelman, UC Berkeley / ICSI / AppCensus In