At the end of May, François Pelligrini and Mathieu Cunche, co-presidents of the CNIL-Inria Prize Jury, presented the privacy award to a Spanish-American research team for their paper ” 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System” Presented at the 2019 Unsenix Security Conference, this study thoroughly analyzes the ways in which apps on Android circumvent the protections put in place by the operating system and thus access information without users’ knowledge, or even against their choices.

Although smartphone platforms implement permission-based models to protect access to sensitive data and system resources, apps can bypass them and thus access protected data without the user’s consent using both covert and back channels.

Winner of the CNIL-Inria 2021 Prize, “50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System” reveals how some apps actively circumvent Android’s permissions system to access users’ sensitive data.

Joel Reardon, one of the study’s authors, relates:

“My favorite example comes from OpenX. They had a block of code that was really amazing, because it was unobfuscated, so I could read it. It would first check to see if the user had permission to access the router’s MAC address. If the user could access the router’s MAC address, it did so in the correct manner. But if you didn’t have permission to access the MAC address, it noticed this and called another function, called getMacAddressFromARP, which exploited the fact that the same information is available in the system’s ARP cache. Instead of reporting the vulnerability to Google and fixing it, OpenX exploited it – only when it didn’t have permission to get it legitimately.”

According to the study’s authors, two kinds of data were primarily targeted: persistent identifiers and geolocation data.

Persistent identifiers

Persistent identifiers are serial numbers or a phone number. This data is often collected by advertising companies, as it allows them to uniquely fingerprint a person’s device across all applications they use, regardless of where they use it.

Joel Reardon assures:

“While these credentials now tend to be locked down through various types of secure permissions, apps continue to find clever ways to circumvent these permissions, in order to access the data.”

Geolocation data

The other major type of data targeted is location data, which can take the form of precise GPS coordinates, or MAC or SSID addresses of routers.

Joel Reardon explains:

“These tend to have a number of secondary access channels, only because things like router MAC addresses were never meant to be secrets, or represent location, but have gradually become so.”

While all of this data could be legitimately collected by simply asking for permission to do so, this illegitimate appropriation of data is problematic since it is in fact a fundamental violation of the notions of notice and consent.

Joel Reardon adds:

“Apps provide notification through permission requests, and users provide consent by agreeing to the terms and installing the app. By not asking for permission and surreptitiously obtaining the same information through a secondary or secret channel, apps can present themselves as privacy-friendly and deceive consumers.”

An even more serious problem was raised in this study: the use of these persistent identifiers.

Joel Reardon states:

“We noticed that a number of apps are storing device serial numbers, such as MAC address or IMEI, on the SD card so that other apps that don’t have permission to access them can read them.”

A significant impact on privacy.

The team of researchers quickly reported each flaw to Google, via its vulnerability program, which developed patches and published them in Android 10. On the other hand, the paper also received the USENIX Security 2019 Distinguished Paper Award, and the data from the search results is now being used by several regulators, who are actively investigating several of the companies responsible for these deceptive practices. In fact, the Federal Trade Commission has initiated an action against Open in 2021.

The results of the study were cited in the third edition of Ross Anderson’s Security Engineering book, in a section devoted to the privacy and security issues associated with side channels. Joel Reardon concludes:

” I think increased regulatory involvement is the only way to send a message about what is unacceptable in the digital space, especially as cell phone applications become more closely tied to the civic space.”

Article sources:

“50 ways to leak your data: an exploration of app circumvention of the Android permissions system.”

Authors:
Joel Reardon, University of Calgary / AppCensus Inc; Álvaro Feal, IMDEA Networks Institute / Universidad Carlos III Madrid; Primal Wijesekera, UC Berkeley / ICSI; Amit Elazari Bar On, UC Berkeley; Narseo Vallina-Rodriguez, IMDEA Networks Institute / ICSI / AppCensus Inc; Serge Egelman, UC Berkeley / ICSI / AppCensus In

Translated from Retour sur le lauréat du Prix CNIL-INRIA pour la protection de la vie privée