Application developers do not care about user safety, which leads to data leakage (with java-code examples)

Delving into my android phone I noticed that in the / storage / sdcard directory there are directories and files - applications that I deleted long ago, so I asked on toster.ru Can one Android application read temporary files of another application?

What are these temporary files and why should we pay attention to them? These are your photos, records of telephone conversations, a database of your daily logs.

Android has a shared directory / storage / sdcard. Temporary files are written there by all applications, and when you delete an application, the data from it remains there, unless the developer has taken care to delete them.
')
Therefore, I asked these questions on toster.ru:

1) By design, the system does not delete these temporary files from this directory?
2) Android does not know which files belong to which application?
3) Can one application read the data of another application from this directory?

User NeiroNx wrote:

/ data is quite clearly divided by rights - not having root application rights do not even see what files are there.

I answer NeiroNx : Wait, I just downloaded the file manager from google.play and read temporary files from the directory of the popular messenger, and there the photos that were sent to me are unencrypted, the device is not rudimentary.

User dobergroup wrote:

What is the path of these files? If they are in an arbitrary directory on a partition that is in fat32, then they cannot be shared access. Therefore, it is necessary to clarify what you mean by "temporary files"

I answer dobergroup : Along the path / storage / sdcard, not to be confused with / storage / extSdCard, here are the “temporary files” of all installed applications on my device: messengers, sip telephony with unencrypted records of phone conversations, browsers with browsing history, players with their playlists, social networks, diaries, with personal records of urgent matters.

By temporary files, I mean one thing, and application developers are probably different if the messenger developers whatsapp with an audience of 33,000,000 store unencrypted photos and encrypted correspondence there. Whatsapp is just an example, almost all popular applications store your personal data in / storage / sdcard /% appName% and any other application can access this directory.

For example, this instant messenger stores photos that you have been sent to a directory to which all applications of your device have access, if they have permission to work with the repository:


_{* Photos from the free photo hosting under the license Creative Commons CC0 . 1 , 2 , 3 , 4 .}

But the popular sip client stores the settings for your sip account there:

Temporary files can read any other application?

That is, someone can place the game “2048 - play online with friends” in google.play and drag photos of topless girls from your phone?

I decided to check it out and wrote a small java program for android. It sends the directory structure / storage / sdcard to email.

Source. It sends the / storage / sdcard directory structure to email:

package android.com.testapp; import android.content.Intent; import android.os.Environment; import android.support.v7.app.AppCompatActivity; import android.os.Bundle; import android.view.View; import android.widget.Button; import android.widget.EditText; import android.widget.Toast; import java.io.File; import java.util.Date; public class MainActivity extends AppCompatActivity { Button emailButton; EditText email; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); email = (EditText) findViewById(R.id.email); emailButton = (Button) findViewById(R.id.emailButton); emailButton.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View v) { getFileStrucure(); } }); } protected void getFileStrucure(){ Filewalker fw = new Filewalker(); fw.walk(new File(Environment.getExternalStorageDirectory().getAbsolutePath())); } private class Filewalker { private int count = 0; private String sked = ""; public void walk(File root) { count++; File[] list = root.listFiles(); for (File f : list) { if (f.isDirectory()) { sked += "time: " + new Date(f.lastModified()) + ", dir: " + f.getAbsoluteFile() + "\n"; walk(f); } else { sked += "time: " + new Date(f.lastModified()) + ", size: " + f.length() + ", " + f.getAbsoluteFile() + "\n"; } } count--; if (count == 0) { sendMail(sked); } } } protected void sendMail(String sked) { Intent i = new Intent(Intent.ACTION_SEND); i.setType("message/rfc822"); i.putExtra(Intent.EXTRA_EMAIL, new String[]{email.getText().toString()}); i.putExtra(Intent.EXTRA_SUBJECT, "android storage structure"); i.putExtra(Intent.EXTRA_TEXT, sked); try { startActivity(Intent.createChooser(i, "Send mail...")); } catch (android.content.ActivityNotFoundException ex) { Toast.makeText(getApplicationContext(), "There are no email clients installed.", Toast.LENGTH_SHORT).show(); } } } 

You enter an email, the application sends the structure of the directory / storage / sdcard, as you understand it, you can do this without asking for email and send, not only the directory structure, but also the files themselves. Hardly google.play so carefully check the applications that are there. Unfortunately, this is a very good tool for maktetologov, they always want to know as much as possible about their users, without saying that you can get personal data in this way.

But what letter comes to you with the content / storage / sdcard, there will be all the files and directories of applications installed on your device:


* There are no directories and application files from google.play that are on your mobile device that you use every day - this is the android sdcard emulator directory.

Link to the github repository for informational purposes.

Look at your / storage / sdcard directory using any file manager for android, also, in my opinion, it is available when you connect the device to a PC as / phone, if you use instant messengers, social networks, task scheduler, see what theoretically anyone can see developer android, who will write in the manifest android.permission.READ_EXTERNAL_STORAGE.

The meaning of the article is that a lot of application developers: soc. networks, instant messengers, sip telephony clients, diaries, do not care about the safety of their users.