Mobile app permissions, leaks and pileup flaws

Even though mobile malware is growing rapidly, malware still remains a small proportion of the threats on mobile devices. By far the greatest mobile threat is from “legitimate” applications downloaded from the official Apple Store or from Google Play – apps that undertake “risky” behaviours, such as location tracking, identifying the user’s ID (UDID), accessing the user’s contact list, and sharing sensitive user data.

As an example, consider the current number 28 most popular free app on the Google Play Store – a flashlight application called Super-Bright LED Torch. On installation, this app requires the following permissions:
– Storage: modify or delete the contents of your SD card
– Camera: take pictures and videos
– Your applications information: retrieve running apps
– Phone calls: read phone status and identity
– Network communication: full network access
– System tools: modify system settings
On the surface, all this app does is shine a light – it’s a simple flashlight. Ask yourself, why does it need all these permissions? They indicate that the app performs “risky” behaviour silently in the background while the user is unaware. Many users do not carefully consider the app’s permissions when installing – they simply accept all permissions on good faith. There have already been over 50 million downloads of this flashlight app.

Research conducted by Appthority found that less than 0.4% of apps have malware, while 79% pose other risks indicated by their permissions. Overall, iOS apps undertake more “risky” behaviours than Android apps. Appthority found that 95% of the top free apps performed at least one “risky” behaviour. The figure for the top paid apps was still 80%.

However, carefully considering an app’s permissions before installing, still does not mean that the user is safeguarded. Mobile applications can expand their permissions after installation, through permission leaks and pileup flaws.

Permission leaks arise from the use of customised permissions, where applications grant permissions to other applications. Trend Micro has demonstrated how a malicious application can tap into the permissions of another app via customised permissions. The company has identified almost 10,000 mobile apps that are at risk of this vulnerability, including an online store, a chat application and a social networking application.

Pileup flaws are another threat. Indiana University researchers recently discovered that malicious apps are able to expand their permissions during an operating system upgrade. A user may install an app based on it’s limited stated permissions, however when the user later upgrades the version of Android OS, the app may escalate it’s permissions without the knowledge of the user. This enables the app to engage in “risky” behaviour after it’s permissions have been accepted by the user during installation. This vulnerability, called a pileup flaw, utilises Android’s Package Management Service (PMS).

The mobile threat environment is certainly different from the PC threat environment. On the PC platform, threats come from malware, whereas on mobile, most of the threats are from legitimate apps downloaded from the official app stores, as indicated by permissions beyond that required for their stated purpose. Unsuspecting mobile users are granting widespread permissions, and malicious apps are using techniques to escalate their permissions. The mobile user, and their private, sensitive data, is at risk. If the permissions of an app makes you suspicious, don’t install it.


One thought on “Mobile app permissions, leaks and pileup flaws

  1. […] Dette er altså risiko som ikke normalt kategoriseres under «angrep», men like fullt kan være det. Selv om NSA ikke har apps under eget navn, kan det jo hende de likevel har det under andre navn. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: