A vulnerability in Android applications, for two main types of data
It was while developing new dynamic analysis tools for verifying the transmission of personal data from mobile apps to the Cloud that the authors of the article “50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System” identified tens of thousands of applications actively circumventing the Android permissions system.
The aim is to access sensitive data without users knowing and without their informed consent, in violation of both the platform and regulatory requirements.
“My favourite example comes from OpenX”, explains Joel Reardon. “They had a truly astonishing block of code that was non-obfuscated, meaning I was able to read it. It would begin by verifying whether or not the user had permission to access the MAC address of the router. If the user was able to access the MAC address of the router, it would do it correctly. But if you didn’t have permission to access the MAC address, it would make a note of this and call another function, entitled getMacAddressFromARP, which exploited the fact that the same information was available in the system’s ARP cache. Instead of reporting the vulnerability to Google and rectifying it, OpenX exploited it - but only when they didn't have permission to get it legitimately.”
The data targeted by these vulnerabilities includes persistent identifiers, such as serial numbers, which aren't able to just change. This data is collected by advertising agencies, who use it to take a unique fingerprint of an individual’s device on all of the applications they use, wherever they are. “Although these identifiers now tend to be locked using various different security authorisations, applications continue to find clever ways of getting around these authorisations in order to access data”, explains Joel Reardon.
The other main type of data they target is location data. This can take the form of precise GPS coordinates or substitutes such as the SSID or MAC addresses of routers. “These tend to have a number of secondary access channels, purely because things like the MAC addresses of routers were never designed to be secret or to represent locations; this is something that has happened over time.”
A worrying situation for digital security
All of this data could be collected legitimately if the necessary permission was requested. But this illegal gathering of data has become an issue in that it constitutes a basic violation of the concepts of notification and consent. “Applications provide notifications through authorisation requests, and users give their consent by accepting the conditions when they install the application. In not seeking authorisation and using a secondary or secret channel to obtain the same information in an underhand way, applications can pretend to protect privacy and trick consumers”, adds Joel Reardon.
An even more serious problem relates to the use of these persistent identifiers. “We noticed that a number of applications record devices’ serial numbers, such as their MAC address or their IMEI number, on their SD cards. This allows other applications which don’t have the authorisation to access them and read them”, explains the researcher. In response to this issue, Android restricted access to MAC addresses in 2015, and to IMEI numbers more recently. If an application has saved one of these to a user’s shared storage, it will only be accessible provided the applications are authorised to access this shared storage.
All of the vulnerabilities which the researchers behind this project identified were quickly reported to Google through their vulnerability programme. The American giant developed correctives, which were published in Android 10. The article also won the USENIX Security 2019 Distinguished Paper Award, and the data from the research is currently being used by a number of regulators investigating companies responsible for these deceitful practices. Finally, the published results were cited in the third edition of Ross Anderson's book “Security Engineering”, in a section dealing with issues of confidentiality and security linked to lateral channels.
This study has significant implications from a regulatory and transparency perspective in that it demonstrated vulnerabilities in the authorisation control mechanisms for the biggest mobile operating system, which were used to track users without them knowing. It also showed that existing platforms had been unable to detect these intrusive and deceitful practices for years.
The biggest impact these results had was in being used to boost security by improving the existing way of doing things. “I believe that greater involvement on the part of the regulatory authorities is the only way to send a message about what is unacceptable in the digital sphere, particularly given that mobile apps are increasingly linked to the civic sphere”, adds Joel Reardon.
Awarded the 2021 CNIL-Inria Prize for privacy protection
Off the back of these results, the researchers behind the article “50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System” (Joel Reardon, Narseo Vallina-Rodriguez, Amit Elazari Bar On, Primal Wijesekera and Serge Egelman) were awarded the 2021 CNIL-Inria Prize for Privacy Protection at the 15th edition of the International Computers, Privacy and Data Protection (CPDP) conference, held on 24th May last year.
First awarded in 2016 in the context of the partnership linking the two institutions, the aim of the CNIL-Inria EU Prize is to encourage scientific research on the protection of personal data and privacy.
The 2021 edition of the CNIL-Inria Prize also saw a prize awarded for the article “DatashareNetwork: A Decentralized Privacy-Preserving Search Engine for Investigative Journalists", which was recognised by the jury as an exceptional achievement in the field of privacy protection. This article, authored by Kasra Edalatnejad, Wouter Lueks, Julien Pierre Martin, Soline Ledésert, Anne L'Hôte, Bruno Thomas, Laurent Girod and Carmela Troncoso, introduced the first search engine designed for investigative journalists, delivering end-to-end privacy protection.
This decentralised search engine, which came about through close collaboration between researchers specialising in privacy protection and the International Consortium of Investigative Journalists (ICIJ), is designed to enable journalists worldwide to collect the best possible information for their investigations through a peer-reserved network, while making solid guarantees regarding confidentiality, the goal being not only to protect them, but also to help keep their sources safe.
Video of the President of the Cnil and the CEO of Inria
Discover the interview with Marie-Laure Denis (President of the Cnil) and Bruno Sportisse (CEO of Inria) on the Cnil - Inria Prize.
Mathieu Cunche, co-president of the CNIL-Inria 2021 Prize jury
This year, Inria researcher Mathieu Cunche (PRIVATICS team) is co-chairing the jury, along with François Pellegrini (CNIL) and two vice-presidents: Catuscia Palamidessi (Inria, COMETE team) and Félicien Vallet (CNIL).
The members of the jury are:
Nicolas Anciaux, Inria, PETRUS team - France
Nataliia Bielova, Inria, PRIVATICS & CNIL team - France
Reuben Binns, Oxford University - Great Britain
Joe Calandrino, Federal Trade Commission - United States
Kostas Chatzikokolakis, University of Athens - Greece
Josep Domingo-Ferrer, University of Rovira i Virgil, UNESCO Chair in Data Privacy - Spain
Sébastien Gambs, University of Quebec in Montreal - Canada
Simone Fischer-Hübner, University of Karlstad - Sweden
Oana Goga, Laboratoire d'Informatique de Grenoble, CNRS - France
Marit Hansen, Data Protection Commissioner of Schleswig-Holstein and Unabhängiges Landeszentrum für Datenschutz (ULD) - Germany
Kévin Huguenin, University of Lausanne - Switzerland
Francesca Musiani, Deputy Director of the Centre Internet et Société, CNRS - France
Benjamin Nguyen, INSA-CVL - France
Walter Rudametkin, University of Lille and Inria, SPIRALS team - France
Reza Shokri, National University of Singapore - Singapore
Carmela Troncoso, EPFL - Switzerland
Narseo Vallina, IMDEA Networks Institute, ICSI and University of California, Berkeley - USA
Christo Wilson, Northeastern University - USA