Repository logo

How much does a zero-permission Android app know about us?

Loading...
Thumbnail Image

Date

2019-11

Authors

Dimitriadis, Antonios

Drosatos, George

Efraimidis, Pavlos S.

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Android devices contain a vast amount of personal data of their owners. These data are stored on the device and are protected by the Android permission scheme. Android apps can obtain access to specific data items by requesting the appropriate permissions from the user. However, in Android, the access to certain assets is granted by default to the installed apps. For example, any Android app has the right to get the device's network operator, which may be used to infer information about user's country and nationality. Similarly, any app has access to the clipboard which may occasionally contain very sensitive information, like a password. Consequently, a honest but curious Android app may leverage the implicit access rights to accumulate such unguarded information pieces and gradually build a detailed profile of the user. The device owner has no immediate way to control this flow of information and, even worse, may not even be aware that this type personal data flow can take place. In this work, we examine the issue of default access rights of Android apps and discuss the potential threat against user privacy. We assess the user awareness and present a prototype zero-permission app that collects user data.

Description

Keywords

Android security, Profiling, Data ex-filtration, Privacy leakage

Citation

Endorsement

Review

Supplemented By

Referenced By