
Ways to leak your data: apps’ circumvention of the Android permissions system - mpweiher
https://blog.acolyer.org/2019/09/25/50-ways-to-leak-your-data/
======
panpanna
> Unity (the cross-platform game engine) using a UNIX ioctl call to obtain the
> MAC address of the WiFi network interface. 748 apps were found to be
> gathering and sending the MAC address in this way without holding the
> ACCESS_NETWORK_STATE permission.

Can anyone from unity comment on this?

~~~
jackewiehose
Unity is not necessarily doing something wrong. As a library/platform-wrapper,
it is their job to provide stuff like that. If such syscalls are meant to be
forbidden, the OS has to prevent them.

(I'm not from unity)

~~~
dmitrygr
One does not _accidentally_ develop a complex side-channel attack. It was a
deliberate effort to circumvent user wishes.

I wish google had the balls to ban apps that do this for a few weeks from the
Play Store. That would teach them fast.

~~~
jackewiehose
Using ioctl() is not a complex side-channel attack. It's a legitimate (and
maybe only) way to do certain things on linux. Since unity is cross platform,
I could imagine they just peeked at their existing code base when implementing
the android version.

~~~
dmitrygr
Except, according to the article, they first try the proper Android API. And
then only do this thing if the api tells them they have no permission.

~~~
jackewiehose
That paragraph in the article isn't about Unity, it's about the "OpenX SDK"
and that is indeed a very shady behavior (I guess it's right that uMatrix
completely blocks all access to www.openx.com).

------
JohnFen
I don't really trust the Android permission system very far.

This is why I run a rooted Android and use a firewall -- applications (and
Android itself) are not permitted to communicate out from my device unless I
specifically allow them to. I also don't give any a full time pass through the
firewall. If I need something to talk to the wide world, I allow it just for
that transaction, then firewall it off again.

As a backup, I also run a VPN server out of my home, and firewall off all
network interfaces except for the VPN. That way my home network's defenses are
also fully in force.

~~~
jackewiehose
> I don't really trust the Android permission system very far.

Me neither. That's why I only install apps I trust.

I also would like to have a rooted phone but browsing through the xda-forums
and dealing with all those hacks and softwares from unknown sources never felt
really trustworthy to me either.

------
threecoins
One thing I found whatsapp app does is that, if it detects that notification
is disabled for a notification group like, say group chats, it deletes and
recreates the permission group and android automatically enables it again as
`enabled` is the default setting. I'm pretty sure Facebook's all apps does it
but I dont have any of their other apps in my phone.

~~~
panpanna
Wait, what??

Of this is true Google should kick them out of the play store

------
chopin
Today I learned that you can make native calls on Android. Isn't any SDK
permission system moot if that is allowed?

~~~
panpanna
No, the permission system is enforced in java and native code.

Of course, there are some holes but they being fixed once found.

------
iicc
>
> [https://www.usenix.org/system/files/sec19-reardon.pdf](https://www.usenix.org/system/files/sec19-reardon.pdf)

Is there a non-pdf version? (HTML or epub) The pdf is elegant, but not good
for reading on-screen.

