
FTC finds Android Apps harvesting data with permissions off [pdf] - alvern
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf
======
alvern
from the pdf

• We designed a pipeline for automatically discovering vulnerabilities in the
Android permissions system through a combination of dynamic and static
analysis, in effect creating a scalable honeypot environment.

• We tested our pipeline on more than 88,000 apps and discovered a number of
vulnerabilities, which we responsibly disclosed. These apps were downloaded
from the U.S. Google Play Store and include popular apps from all categories.
We further describe the vulnerabilities in detail, and measure the degree to
which they are in active use, and thus pose a threat to users. We discovered
covert and side channels used in the wild that compromise both users’ location
data and persistent identifers.

• We discovered companies getting the MAC addresses of the connected WiFi base
stations from the ARP cache. This can be used as a surrogate for location
data. We found 5 apps exploiting this vulnerability and 5 with the pertinent
code to do so.

• We discovered Unity obtaining the device MAC address using ioctl system
calls. The MAC address can be used to uniquely identify the device. We found
42 apps exploiting this vulnerability and 12,408 apps with the pertinent code
to do so.

• We also discovered that third-party libraries provided by two Chinese
companies—Baidu and Salmonads— independently make use of the SD card as a
covert channel, so that when an app can read the phone’s IMEI, it stores it
for other apps that cannot. We found 159 apps with the potential to exploit
this covert channel and empirically found 13 apps doing so.

• We found one app that used picture metadata as a side channel to access
precise location information despite not holding location permissions.

