
Pairings of Android apps that leak sensitive data - peter_tonoli
https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/
======
rainforest
The study is available here[0]. The gist is that an app can launder a request
it isn't privileged to make through another app that is privileged and doesn't
correctly check the intent sender. There are examples in Section 4.3.

[0] :
[http://people.cs.vt.edu/danfeng/papers/AsiaCCS-17-Yao.pdf](http://people.cs.vt.edu/danfeng/papers/AsiaCCS-17-Yao.pdf)

~~~
HillaryBriss
maybe i'm reading it wrong, but a lot of the examples in section 4.3 look like
one app inadvertently _sending_ sensitive data to another app (in an intent
object).

i.e. the receiving app is getting some sensitive data it isn't supposed to
have but didn't ask for, and then handling it inappropriately (e.g. leaking it
to a log).

------
quirkot
Or in other words: There are 35 apps that can leak your data to tons of other
apps. However we're not going to tell you which ones.

~~~
quirkot
Also... MUSLIMS! In case you weren't suitably terrified by the meaningless
large numbers

~~~
jstanley
In no way does it imply you should be scared of the Muslims.

In the example given, it is the Muslims who should be scared.

~~~
quirkot
> In no way does it imply you should be scared of the Muslims.

It's not implying that you should, it is expecting that you are. It’s a FUD
article touting b.s. numbers to boost the impression of vulnerability and of
the 35-ish problem apps they chose to describe the one that’s a muslim prayer
app. Why not choose a stopwatch app or a flappy bird clone or literally ANY of
the other ones? Because they are depending on your preexisting, generalized
fear of muslims.

> In the example given, it is the Muslims who should be scared.

Yes, I agree. Not only are they the victims of poorly written apps, they are
also the victims of poorly written news

------
endorphone
I only use Nexus and Pixel devices lately, so I'm not sure if this is
available on all devices, but for apps that I have any worries about (e.g.
100% of games) I have a second user, on an empty gmail account created purely
for that purpose, that I switch over to. It takes less than three seconds to
switch accounts, I game and get the diversion, and then switch back. The
downside is that I don't get notifications, and some privileged info is still
available to the apps (although I block the ability to make calls or send
texts to the other number, etc), but it does greatly reduce the surface area
of the exposure.

------
dfc
For anyone looking for the dataset:

[https://amiangshu.com/dialdroid/](https://amiangshu.com/dialdroid/)

------
bddap
FUSE does this.
[https://formal.tech/products/fuse](https://formal.tech/products/fuse)

~~~
bddap
Here's a graph.
[http://fuse.galois.com/nexus4/visualization/](http://fuse.galois.com/nexus4/visualization/)

~~~
jstanley
It is not at all clear what this graph is meant to represent.

------
pbhatia
Is there a list of the apps anywhere?

