Security Researchers Find Privacy Leaks in Fundamental Pre-Installed Android Apps

Though phone manufacturers have been distancing themselves from the Carrier IQ furore, there are plenty of other pieces of software that could be tracking you, too.

A team of researchers from North Carolina State University have been looking into the standard configurations on a bunch of Android smartphones from Google, Motorola, HTC, and Samsung. They found that none of the phones effectively protect privileged permissions from untrusted applications, which could mean that any application could record conversations, track SMS messages, or even wipe user data without needing the user's permission.

You probably want to know what phones they looked at. They were: the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S.

The security issues with Google's phones were minor. Not so for Motorola, HTC and Samsung, though — the researchers found that the stock phone images from these manufacturers don't enforce Android's permission-based security model properly. That, that is pretty worrying.

Even more worrying is that the researchers have "experienced major difficulties" in trying to report the issues to HTC and Samsung (though Google and Motorola have listened). Nothing like sticking your head in the sand, guys.

So what are the security problems, exactly? Well, the team looked at 13 basic Android applications that deal with sensitive user information — basic software that needs to be there. These apps deal with things like passing geo-location data, accessing the address book, and sending SMS messages. Normally, apps are supposed to seek approval from the user to access information via these sources.

But these guys found that a lot of the time, these basic bits of software that deal with requests for user information just don't require apps to be approved in order to grab the data. Instead, the information can be grabbed as it's passed to another, trusted app. The worst offender? The HTC Evo 4G, which had eight different streams of data that could be grabbed by an app without seeking any permissions from users at all

Bear in mind that these are pre-installed apps that have to be on the phone — they deal with the stuff that makes the phone actually work. They just shouldn't be letting this kind of thing happen. Start installing third-party apps that are explicitly trying to grab your data, and the story only gets worse. Sigh.

Keep up-to-date with our current privacy coverage at #stopspying. [North Carolina State University (PDF) via Ars technica]


You can keep up with Jamie Condliffe, the author of this post, on Twitter.