How much does a zero-permission Android app know about us?

Abstract

Android devices contain a vast amount of personal data of their owners. These data are stored on the device and are protected by the Android permission scheme. Android apps can obtain access to specific data items by requesting the appropriate permissions from the user. However, in Android, the access to certain assets is granted by default to the installed apps. For example, any Android app has the right to get the device's network operator, which may be used to infer information about user's country and nationality. Similarly, any app has access to the clipboard which may occasionally contain very sensitive information, like a password. Consequently, a honest but curious Android app may leverage the implicit access rights to accumulate such unguarded information pieces and gradually build a detailed profile of the user. The device owner has no immediate way to control this flow of information and, even worse, may not even be aware that this type personal data flow can take place. In this work, we examine the issue of default access rights of Android apps and discuss the potential threat against user privacy. We assess the user awareness and present a prototype zero-permission app that collects user data.