New twist to an old concept. It was actually already done about 2 years ago now; https://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
And then again a few months back; https://viaforensics.com/security/nopermission-android-app-remote-shell.html It's interesting that people are making a fuss over the Android_ID though: << The Android ID could be used as a way to identify a specific handset. >> Especially since it is _meant_ to be used to identify a specific handset and not require extra permissions (like the IMEI/IMSI). This value is also changed on each factory reset of a device. -Tim Strazzere On Thu, Apr 12, 2012 at 2:25 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > On Sat, Mar 3, 2012 at 9:47 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > > From > http://www.itworld.com/security/255210/google-response-flaw-lets-apps-steal-photos-ditch-insecure-apps-thats-all-them > : > > > > ... all the apps on the Android Market get access permissions from > > Android's built-in security, which is so flawed it can't stop > applications > > from improperly accessing data even when they don't intend to. So, if > > Google gets rid of all the apps Android would allow to access data > > improperly, it will be getting rid of all the apps. > > > > "We need a more fine grained permission system on android," > > http://lwn.net/Articles/409230/ > > > > "Dr. Android and Mr. Hide: Fine-grained security policies on unmodified > > Android," http://www.cs.umd.edu/~jfoster/papers/acplib.pdf > > > > "The Effectiveness of Application Permissions," > > http://www.cs.berkeley.edu/~afelt/felt-permissions-webapps11.pdf > > > > And last but not least (its alarming how permissions map to actions in > > practice): > > > > "Android Permissions Demystified," > > http://www.cs.berkeley.edu/~afelt/android_permissions.pdf > A new twist just arrived (or it looks new to me). An app with no > permissions gets pseudo-READ_PHONE_STATE for free. > > ""No permissions" Android app allows secret data harvesting," > > http://www.zdnet.com/blog/hardware/no-permissions-android-app-allows-secret-data-harvesting/19709 > > Paul Brodeur, security researcher with Leviathan Security Group, has > created a proof-of-concept app that shows how an Android application > which doesn’t ask for any security permissions is still able to get > access to data stored on SD cards, data stored on the handset by other > apps, and information about the handset and handset’s Android ID. > ... > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > android-security-discuss@googlegroups.com. > To unsubscribe from this group, send email to > android-security-discuss+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
