A number of apps store user’s personal data for their use. Most of the times it is authorized by the user and is genuinely required by the app. However, if the app doesn’t properly encrypt the data, it can cause a lot of problems for the user. For instance, now it has been found that the Coollris Android gallery stores unencrypted copies of complete addresses of user. These can be accessed by another malicious app and easily misused.
So how does it exactly work? Android has a ‘sandbox’ where it keeps all the apps. Now when an app requires any user data, Android makes the app ask the user and get explicit permission. If you refuse, the details are not accessed by the app. However, now it has been revealed that if there is a malicious Android app, it can access a whole lot of data without getting permission from the user.
A test app ‘No Permissions’ was created by a mobile security expert Paul Brodeur to test how far an app can gain access into user’s device without seeking permission. The app ‘No Permissions’ was able to scan the device’s storage and reveal the names of all non-hidden files. Moreover, these non-hidden files can also be scanned to reveal any sensitive information contained in them.
Moreover, this app can also get a list of all the installed applications on the device. This can let the app know which apps may have the data it is looking for. Apart from this, the app can gain access to photos, Spotify ID, Google e-mail address and also a list of addresses. This list was gained by the app inside a cache named com.cooliris.media and inside the cache a file called ‘Chunk_0’. This file is there across a multitude of Android devices.
The fact that all this information is stored unencrypted keeps the doors open for a lot of malicious app and is a huge security issue. Google has taken an initiative to patch up these security holes when it said that it is ‘considering adding a permission for apps to access images.’ But that is just a start and Google needs to do a lot more to make Android security more reliable.
[ttjad keyword=”android-phone”]