Imagine two employees at a large bank: an analyst who handles sensitive financial information and a courier who makes deliveries outside the company. As they go about their day, they look like they’re doing what they’re supposed to do. The analyst is analyzing; the delivery person is delivering. But they’re actually up to something nefarious. In the break room, the analyst quietly passes some of the secret financials to the courier, who whisks it away to a competing bank.
Now, imagine that the bank is your Android smartphone. The employees are apps, and the sensitive information is your precise GPS location.
Like the two employees, pairs of Android apps installed on the same smartphone have ways of colluding to extract information about the phone’s user, which can be difficult to detect. Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone. And because of an enormous number of possible app combinations, testing for app collusions is a herculean task.
A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data. Four researchers at Virginia Tech created a system that delves into the architecture of Android apps to understand how they exchange information with other apps on the same phone. Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information.
When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data. More than 16,700 of those pairs also involved privilege escalation, which means the second app received a type of sensitive information that it’s typically forbidden from accessing.
In one striking example, the study highlighted an app that provides prayer times for Muslims. It retrieves the user’s location and makes it available to other apps on the smartphone. More than 1,500 receiver apps, if installed on the same device, can get the location sent by the prayer-times app. Of those, 39 apps leak the location data to potentially dangerous destination.
Relatively small groups of unsecured apps were behind the enormous number of leaky connections. The 16,700 app pairs that exhibited privilege escalation all involved one of 33 sender apps. And the roughly 6,700 app pairs that leaked data without privilege escalation all involved one of 21 sender apps. Twenty sender apps appeared in both categories. The problematic apps came in various forms: from entertainment and sports to photography and transportation apps.
Collusive leaks aren’t always intentional—and it’s very difficult to tell when they are. But no matter the aim, leaks of sensitive information without a user’s permission carry potential for abuse.
Sometimes, only one app in a pairing may seem intentionally malicious. An app can take advantage of a security flaw in another app to steal data and extract it to a distant server, for example. Other times, both apps are poorly designed, creating an accidental data flow from one app to another, and then from the second to a log file.
The study found that smartphone location was more likely to be leaked than any other type of information. It’s easier to imagine how a user’s real-time location could be abused than, say, knowing what networks that person’s smartphone is connected to. But smaller details like network state can be used to “fingerprint” a device—that is, to identify it and keep track of what its user does over time.
When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS. Sixteen sender apps and 32 receiver apps used permission escalation and extracted leaked data in one of those two ways.