Android concept app siphons sensitive data
A security researcher has developed an application that demonstrates how sensitive data can be stolen from Android phones without user permission.
The application can access contents of a phone's SD card, tap into app data and upload sensitive data without requiring permissions. Permissions were a security system on Android phones that require applications to ask users for access rights to phone contents like contacts, data and the ability to access communications.
“...it's trivial for any installed app to execute these actions without any user interaction,” Leviathan Security consultant Paul Brodeur said in a blog post. The No Permissions application contained three buttons that demonstrated the weaknesses in the permission system. One button could return a list of visible files stored on a phone's SD card such as photos, backups and configuration. Using the app Brodeur found OpenVPN certificates on his storage card.