Insecure permissions in Android applications

Today, Android is one of the most popular mobile platforms used in smartphones, tablets, smart watches, televisions and even cars. The openness of the platform, the widest variety of versions and implementations used brings the security issue to the fore when creating Android applications.

As you know, security is provided by the access permissions system on each specific Android device. This system is designed to protect important data and prevent unauthorized access to information or communication channels.
')
By default, no Android application has permission to conduct operations that may affect the OS, personal data, or other applications. However, without such permission, any application will become useless.

Permissions are a kind of filter for application functionality, and it only depends on the user whether to give access to data during installation. The problem is that users usually do not read what exactly the application wants to access, and, without thinking, it is allowed. This behavior creates the preconditions for the abuse of personal data or even the modification of the kernel.

Here we look at the existing system of manifests and permissions in Android. The manifest file contains information about the application package, including permissions, content providers, services, activities, and broadcast receivers (broadcast receivers).

An example of the overall structure of a manifest file. Permission requests are highlighted in color:

The most dangerous permissions

To decide which data can be given access, the user must remember the purpose of this application. For example, “Why did the game need access to my address book or permission to send SMS?” Obviously, the games do not involve sending SMS. Such functional inconsistencies with access requests should be alarming in the first place.

Permissions you may want to revise in the future

1. Request root-rights. A user with root-rights can manage the system without any restrictions. By default, Android does not have these rights, as inexperienced users can mess things up. Root rights are granted by a process called “Rooting the Android device”. And if a malicious application receives them, then it will be able to do whatever it pleases.
   
   Here is a small example of how an application runs a shell script with privileged user rights to reboot the device:
   
   

   try { String[] reboot = new String[] { "su", "-c", "reboot" }; //-c will cause the next argument to be treated as a command Process process = Runtime.getRuntime().exec(reboot); process.waitFor(); //wait for the native process to finish executing. } catch (Exception e) { Toast.makeText(getApplicationContext()," Device not rooted.\n Could not reboot...",Toast.LENGTH_SHORT).show(); } 

   
   Using the su command, the application starts with privileged rights, and if the device is ruled, it will restart. If not, a message appears:
   
   
   
   To request root access:
   
   
   
   add the line to the manifest file:
   
   <uses-permission android:name="android.permission.ACCESS_SUPERUSER">
   

Request permission to read and write personal data. If you want users to not worry about their personal data, then do not use such requests in the manifest:

<uses-permission android:name="android.permission.READ_CALENDAR"></uses-permission>
<uses-permission android:name="android.permission.WRITE_CALENDAR"></uses-permission>
<uses-permission android:name="android.permission.READ_CALL_LOG"></uses-permission>
<uses-permission android:name="android.permission.WRITE_CALL_LOG"></uses-permission>
<uses-permission android:name="android.permission.READ_CONTACTS"></uses-permission>
<uses-permission android:name="android.permission.WRITE_CONTACTS"></uses-permission>


Permissions related to financial expenses. Some permissions, thoughtlessly granted by users, can cost them money. Most often it is sending SMS / MMS and making voice calls. And it can happen in the background, without calling the standard telephone application.
Request to send messages:

<uses-permission android:name="android.permission.SEND_SMS"></uses-permission>

Call request:

<uses-permission android:name="android.permission.CALL_PHONE"></uses-permission>

A simple example of sending SMS:

  String message = "Hello Android fans! "; String number = "xxxxxxxxxxxx"; //it is preferable to use a complete international number SmsManager.getDefault().sendTextMessage(number, null, message, null, null); 

Please note that this code will only work if the corresponding request is contained in the manifest file:

<uses-permission android:name="android.permission.SEND_SMS"></uses-permission>

Access to geolocation data. If the user allows, the application will be able to receive information at any time on:

• approximate location of the user according to the data of base stations and Wi-Fi points;
• The exact location of the user according to GPS, base stations and Wi-Fi.

Request access to approximate location data:

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"></uses-permission>


Request access to exact location data:

<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"></uses-permission>


Here's how to get exact location data:

 public class MainActivity extends Activity implements LocationListener { private LocationManager locationManager; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); locationManager = (LocationManager) getSystemService(Context.LOCATION_SERVICE); locationManager.requestLocationUpdates(LocationManager.GPS_PROVIDER, 3000, 10, this); } @Override public void onLocationChanged(Location location) { String myLocation ="Location changed...\n\nYou are located at: " + "\nLatitude: " + location.getLatitude() + "\nLongitude: " + location.getLongitude(); Toast.makeText(getApplicationContext(), myLocation, Toast.LENGTH_LONG).show(); } @Override public void onProviderDisabled(String provider) { Intent intent = new Intent(Settings.ACTION_LOCATION_SOURCE_SETTINGS); startActivity(intent); Toast.makeText(getApplicationContext(), "Gps is turned off... ", Toast.LENGTH_SHORT).show(); } @Override public void onProviderEnabled(String provider) { Toast.makeText(getApplicationContext(), "Gps is turned on... ", Toast.LENGTH_SHORT).show(); } @Override public void onStatusChanged(String provider, int status, Bundle extras) { } } 

Do not forget that the operation of this code depends on the availability of the corresponding request in the manifest file.

The Java MainActivity class implements LocationListener to get the right data from the device. The current location is requestLocationUpdates() by calling requestLocationUpdates() in the onCreate() method. When a location changes, onLocationChanged() is called to get new data. If the GPS data is not available, the onProviderDisabled () method is called, passing the location information to the application.



Access to audio and video. If the user gives such permissions, then he risks that he will be listened to or used by the camera of the smartphone for surveillance. Access requests in the manifest file:

<uses-permission android:name="android.permission.CAMERA"></uses-permission>
<uses-permission android:name="android.permission.CAPTURE_VIDEO_OUTPUT"></uses-permission>
<uses-permission android:name="android.permission.CAPTURE_AUDIO_OUTPUT"></uses-permission>
<uses-permission android:name="android.permission.RECORD_AUDIO"></uses-permission>

Installing packages. If you give such permission, the application will be able to install additional packages without the user's knowledge.

<permission android:name="android.permission.INSTALL_PACKAGES">

Stop background processes. This permission allows an application to call killBackgroundProcesses (String), with whose help it can stop any processes running in the background.

<uses-permission android:name="android.permission.KILL_BACKGROUND_PROCESSES"></uses-permission>

Android marshmallow

The sixth version of Android, announced in May 2015, introduced a new permissions mechanism. Now they will not be requested during the installation of the application, but when you first try to use a function. Let's hope that this will greatly facilitate the life of both developers and users.