What An Android App Could Do Without Any Permissions – Analysis
One of the repeated warnings while installing applications on Android is to review the permissions. Before installing an application, either by Google Play or manually, we are warned of what changes will this app make in our device: access the calendar, write memory of your phone and so on.
It is always important to know that, sometimes, there are applications that demand more than they need.
After all, why we would like to install a game that requires access to Phone Calls? It makes little sense.
Okay, we have an application that requests additional permissions and maybe it doesn’t cause any harm. However, this give rise to a question: What an Android App could do without any Permission? Yes, Zero Permission Android app.
Leviathan Security team has developed a technical demonstration to answer this question. It has, therefore, designed an application, which, without requiring any special permission, be able to go as far as possible.
Thus, you can check on your own device using the application in question, you can perform three actions without permissions of any kind.
- First, all applications have at least the ability to read the contents of a external storage memory. This sample app can read the /sdcard and get a list of all files that are not hidden. Thus, we can collect the contents of these files without any problems. Some might think that perhaps this is not important as most information is stored in internal memory, where if you can not do this, but many store our photos and other documents there. Read more about Android Partitions.
- You can also collect data from /data/system/ packages.list. That is, you can see what applications are installed on our device. This done, we know what data can be read. Thus, we can read files from other applications that are installed on our Android device.
- We can get the device information without PHONE _STATE permission. But its scope is relative and we can not read the IMEI but know your network provider and the version of the ROM. Not many details but there it is.
Okay, maybe now someone is thinking- Where does all this information can be collected if the application does not have permission to connect to the Internet? While not having the permission makes things difficult but there is a path through URI _ACTION_VIEW. Thus, attempts to open the web browser which, if connected, would pass the data through different calls to the browser.
With this post, I do not intend to call the alarmism and not at all say that you should distrust each and every one of the applications on Google Play. The intention is to report the performance of apps on Android and possibility of what can be done without permissions. As I mentioned before, you can try these options on your own using this application.