Universiteit van Amsterdam
System and Network Engineering
Personal Data Collection of Android Applications Sebastian Dabkiewicz -
[email protected] Mohammad Shafahi -
[email protected] May 29, 2012 Abstract Phones have become more and more important for us nowadays. With the introduction of smart phones the devices gets more functionality. They act as a small personal computer. During this project we conducted a research on several free Android applications which require to more permissions than they actually need. We sniffed the traffic between the phone and the internet, and searched for leaking private information. We found out that the private information we saw was send to advertisement company’s and HTC, the manufacturer of the phone. During our experiment we didn’t see any other traffic with private data passing by.
Offensive Technologies Project report Personal Data Collection of Android Applications
Contents 1 Management summary 1.1 Summery of Introduction . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Most important findings . . . . . . . . . . . . . . . . . . . . . . . .
4 4 4
2 Introduction
5
3 Environment 3.1 Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 7 7
4 Experimental methods 4.1 Access Point . . . . . . . . 4.2 Phone . . . . . . . . . . . 4.3 Applications . . . . . . . . 4.3.1 Flashlight . . . . . 4.3.2 Ghost Radar . . . 4.3.3 Scare Your friends 4.4 Traffic sniffing . . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
9 9 9 9 9 10 10 10
5 Results 12 5.1 HTC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2 Airpush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6 Conclusion
16
7 Further research
17
A Permissions for the Flashlight application
18
B Ghost Radar and Scare your Friends
20
2
List of Figures 1 2 3 4
Application with an advertisement . . . . . . . . Setup of the experimental environment . . . . . . Map generated using google API for the location . Airpush advertisments in the status bar . . . . . .
3
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. 7 . 11 . 14 . 15
1
Management summary
1.1
Summery of Introduction
Phones have become more and more important for us nowadays. With the introduction of smart phones the devices gets more functionality. They act as a small personal computer. During this project we conducted a research on several free Android applications which require to more permissions than they actually need. We sniffed the traffic between the phone and the internet, and searched for leaking private information.
1.2
Most important findings
In this research we found out that: We found out that the private information we saw was send to advertisement company’s and HTC, the manufacturer of the phone. During our experiment we didn’t see any other traffic with private data passing by.
• Private information leak by advertisement API’s provided by advertisement companies • Private information leak by manufacture vendors software installed on the phone • Some software will also push unwanted stuff into the notification, like advertisement and links to install other application that will charge or even abuse your phone
4
2
Introduction
A decade ago one could only use the mobile phone to call and send SMS. Nowadays with the fast growth of internet connectivity on the mobile phone and the growing market share of smart phones in the mobile market, mobile phone have become more than just a calling device or a device for sending SMS. They have become a part of our life. Phones, specially smart phones, are like pocket computers for us. We send and receive e-mails, take pictures and videos, browse the web, read books etc. with them. It’s nice to have a device that can be easily carried and can do lots of jobs for you but this can also be dangerous. Doing all these tasks with the phone means giving the phone a lot of personal and professional information (or in general your private data). This data is mostly stored in the phone such as your contacts, photos and so on. Now when there is private data there is also an interest in retrieving this data it by others. That’s why most mobile users have a code or pattern to unlock there phone so in case the phone is stolen or lost others don’t get access to it. The problem here is that just locking your phone doesn’t keep your privacy from others. Because of the nature of your phone you are actually connected to the outer world via all sorts of communications channels such as voice, SMS, MMS, Internet (using wifi, GPRS or 3G) etc. On the other hand the ability to install applications on the phone has given 3rd parties the opportunity to access the phones functionality. These 3rd party applications are easily installable via market places provided mainly by the provider of the operating system of the phone. For some of the markets any 3rd party can easily publish there application in the market for any price they want and even for free. Now this gets even more interesting when we notice that some applications in these markets request more permissions that what they really need to deliver there promised functionality. For example why would a simple flash-light application, which only turns on and of the LED of the phone, want access to the network or phone information. There are two main operating systems for smart phones Android by Google that is an open source OS and iOS by Apple that is a closed OS that only runs on apple hardware. Since android is open source and other mobile vendors can also implement it as there smart phones OS it is becoming more and more popular. In this research we have investigated in the risks of installing free applications with the Androids market (Play Store) without carefully considering the permis5
sions granted to them. We have concentrated on Android phones because based on research done by Gardner[7] it had 50.9 percent of the market share in the 4th quarter of 2011 and because of time constraints and simplicity we have only focus on WiFi connection as the back door for sending out data. In this report we will first cover the the basics of Android and Android applications then we will give an overview of our testing environment and finally we will discuss the results of our experiment.
6
3 3.1
Environment Android
Android[3] is an Linux based operating system for mobile devices like mobile phones or tablets developed by Google. It is the most popular mobile operating system. Based on research done by Gardner[7] it had 50.9 percent of the market share in the 4th quarter of 2011. Android is this popular because it is an open source operating system[11] and the Google play[13] store (formerly known as Android Marked) is full of free or quite cheap applications, with an average price of US$ 3,74[4].
3.2
Applications
There a many so many different applications (app’s) available in the market from a simple flash light to complex and advance applications like route planners, games and so on. Since most of the applications are quite cheap or free of charge they use advertisements inside the application to make money. See figure 1. (Some times they come in two versions a free one with advertisement and one that you pay and has no advertisements)
Figure 1: Free application Rail Maze with an in app advertisement There are applications that aren’t just created to bring the user a nice user experience but they are also intended to make lots of money. These applications 7
would gather your personal data and use/sell them in a way that they get a benefit of it. For example if the advertisement company knows that one is looking for beer on the internet why not show a targeted advertisement for a beer companies, so that is is more likely that the user will click on it.
8
4
Experimental methods
We will conduct our research in the System and Network Engineering (SNE) Lab, there we had access to a desktop computer where we can install the Backtrack Linux R2[5] distribution. Backtrack Linux is Penetration Testing Distribution, with a lot of security related tools installed.
4.1
Access Point
After installing Backtrack we made it act like an access point. To do so we needed a wireless network adapter which can run in master mode, which was available in the server room. We also installed a DHCP-server to give out IP-addresses to the associated devices. Finally we needed to redirect traffic to the internet and we did so by adding some iptables rules. We used the manual available in [1] to set up the access point.
4.2
Phone
To conduct our test we got a LeeDrOiD[10] with a rooted HTC Desire Android Phone with Android version 2.3.3. On this phone we installed and ran the applications we wanted to test.
4.3
Applications
To find some interesting applications to work with we searched in the Google Play store for some suspicious applications. We searched for applications which do almost nothing but require a lot of permissions to run. To find this kind of applications we looked into the most popular free applications in the Google Play store and searched for suspicious application. We found several application and for our project we limed us to the following applications which are described below. 4.3.1
Flashlight
Flashlight[6] is a application which turns your smart phone in to a flashlight. It is very basic when turned on it turns on the LED-light of the camera of the smart phone. To preform this task the application requests a lot permissions, which are described in appendix A. Below some of these permissions are discussed. Because the application is using the LED-light of the camera of the phone it 9
could be that it need the permission to control the hardware. To be more precise the LED of the camera, so that only the LED of the camera can be used with this permissions. But looking further in the permissions which the software requires there is another section which wants permission to be able to capture photos and videos . So there is more than what the application needs. Furthermore the application wants access to the internet, this is needed to be able to load advertisements from the internet to show them to the user of the application. Unfortunately the permission isn’t restricted to that, this ability could also be used to send private date of the phone to a foreign server. 4.3.2
Ghost Radar
Ghost Radar[8] uses the mobile device’s sensors to detect nearby activities and shows them in a radar. The permissions which are required by this application are described in appendix B. Some permissions which Ghost Radar requires are a bit to much. for example: Read and write the history and bookmarks of the browser. One should wonder why such an application needs the ability to do so. But the most scary requirement is the ability to read the phone state and identity, here one gives the application the permission to read the phone number and serial number of the phone, and also information to the actual call status, and how he or she is calling. This brings also a privacy risk for other people, who aren’t using this applications. 4.3.3
Scare Your friends
Scare Your friends[12] is a application which can be used, as the name says, to scare your friends by setting a timer after which a image and a scary sound will played, even if the speaker of the phone is in the mute stand. The application comes from the same developer as Ghost Radar and requires exact the same permission as this application.
4.4
Traffic sniffing
To find out if the application is sending out data we sniffed the data which was sent between the phone and the Internet with the access point. So we where able
10
to see all the traffic from and to the phone. A basic overview of the setup can be found in figure 2.
Figure 2: Setup of the experimental environment We tried to sniff the traffic during the night-time, so we ran the applications at the end of the day and left the phone alone in the lab. So that we could stop the capturing and collect the dumps of the packets the next day and analyze them.
11
5
Results
During our test we ran Wireshark to capture the traffic between the phone and the internet. Using the captured packet dump we then analyzed the traffic. First of all we looked into encrypted traffic and found out that there was no encrypted traffic other then the ones going to Google servers that is not interesting for us in this research because we consider Google secure. Then we looked into the plain text traffic which was send by the phone. We found out that most of the traffic is not interesting for us except for two classes of Traffic. Traffic generated by HTC software and Traffic generated by the installed applications which sends data to the Airpush’s website.
5.1
HTC
The HTC traffic is there to provide extra features to the Android OS and it is known as HTC sense that is specific for HTC devices. Below is a sample of the data sent in plain text to http://andchin.htc.com/android/checkin: "id":"66d2202560c2ae2c", "checkin":{ "checkin_type":"Auto", "mcc_mnc":"", "mid":"PB9920000", "build":{ "product":"bravo", "id":"htc_wwe\/htc_bravo\/bravo\/bravo:2.2\/FRF91\/293415:user\/release-keys", "revision":"129", "firmware_version":"3.06.707.0 CL41007 test-keys", "radio":"32.49.00.32U_5.11.05.27", "carrier":"htc_asia_wwe", "bootloader":"0.80.0000", "build_type":"user", "changelist":"41007", "serialno":"HT03YPL07236" }, "cid":"HTC__E11", "connection_media":"Wifi", "ip":"192.168.2.130", "client_version":"A2.1(GB)"}, "model_number":"HTC Desire", "digest":"433ebdede2f5ed8db80e832a7f1923", 12
"last_checkin_msec":"1337649249989", "imei":"357841030993287", "locale":"en_US" As one can see the HTC traffic leaks a lot of information in plain text like the phones International Mobile Equipment Identity (IMEI, a number unique for every phone), the phone model and serial number of the phone. It also transmits how one is connected to the internet in our case WiFi and the IP-address which is in use by the user.
5.2
Airpush
Airpush[2] is a advertisement company and provides advertisement services like Google Adsense[9]. The Airpush traffic is generated by an HTTP request to an in the application implemented advertisement API, which is implemented in the most applications we installed. Below a sample of the data which is sent in plain text to the following url: http://api.airpush.com/v2/.php
apikey=1322562832850076238& appId=37263& imei=4b2972c88d1e78184c6beac11f21f571& token=74fd8ffa758cc97f16ab02adc56a9eff& request_timestamp=Mon+May+21+19%3A02%3A38+GMT%2B01%3A00+2012& packageName=net.ghost.radar& version=10& carrier=& networkOperator=& phoneModel=HTC+Desire& manufacturer=HTC& longitude=4.955710455555556& latitude=52.35447566666667& sdkversion=4.02& wifi=1& useragent=Mozilla%2F5.0+%28Linux%3B+U%3B+Android+2.3.3%3B+en-us%3B+HTC+Desire+Build android_id=66d2202560c2ae2c& longitude=4.955710455555556& latitude=52.35447566666667& model=user& action=setuserinfo& 13
APIKEY=1322562832850076238& type=app As one can see the application sends a lot of private information to the Airpush service in plain text. Like the location of the user (with longitude and latitude - see figure 3, which was in our case the Science Park in Amsterdam), the MD5 hashed IMEI of the phone, the Android id (that is a unique identifier for each android OS), the application which is currently running (application id and package name). Also the current timestamp is send to be able to track the user during the day.
Figure 3: Map generated using google API for the location Applications which use the Airpush api for advertisements not only leak your private information to a third party but also provide the ability for Airpush to push advertisements into the notification bar of the phone, as shown in figure 4. In most cases after clicking such an advertisement, an .apk-file is downloaded which is been used to install a another application. For testing purposes we clicked 14
Figure 4: Airpush notification advertisments in the status bar of the phone on one of these advertisements and started the installation of the application. After the start of the installer we saw an ”warning” that running this application causes receiving three SMS messages per week which cost 1,50 Euro per received SMS.
15
6
Conclusion
Our results shows that the data of a Android user is under a risk. The private data we found was sent in plain text mainly to advertisements company’s which use this data to create profiles of the user to be able to send them targeted advertisements. These company’s are able to create huge database with our data. So are they able to track us during the day, and see which applications we are using. Since the IMEI, the timestamp (when the application is used) and the application used is send to them. Also the position of the phone is leaked, if a application is running in the background, it is possible to create a map of points where the user has been over several day’s of even weeks. The worst thing about all this is that this data is all transferred in plane text so not only the companies get access to it but also anyone that receives our traffic (is able to sniff the smart phones traffic) will gain access to this information Although much information is send to advertisement company’s the applications didn’t use all the permissions which where granted during the installation. We didn’t see pictures coming by for example. But this doesn’t mean they don’t because we had limited time to conduct the test. In conclusion we should say that the user must be very careful on what applications he or she is installing and also the smart phone OS should also clarify more what accesses is the application granting and for what. Another important thing is that some vendors have added software to the original OS that is also leaking information and the user is unaware of this because the software is already installed on purchase. This suggests that there should be some kind of regulation on vendor software also.
16
7
Further research
There is a lot of more work which has to be done in this field. Due time limitations we weren’t able to test a lot of applications. But the one we tested leaked the private information of the owner of the phone. We want to propose that in the future a test can be conducted where the applications runs for longer time frame, than just one night. For example several days to one or to weeks. So that there can be a pattern found in which applications are sending data, if they do. It is also helpful to conduct the test on fresh smart phones to see if vendor applications have leakage and what they leak in different situations.
17
A
Permissions for the Flashlight application
This application has access to the following:
Hardware controls take pictures and videos Allows the app to take pictures and videos with the camera. This allows the app at any time to collect images the camera is seeing.
Network communication full Internet access Allows the app to create network sockets.
Phone calls read phone state and identity Allows the app to access the phone features of the device. An app with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
Storage modify/delete USB storage contents modify/delete SD card contents Allows the app to write to the USB storage. Allows the app to write to the SD card.
System tools change your UI settings Allows the app to change the current configuration, such as the locale or overall font size. modify global system settings Allows the app to modify the system’s settings data. Malicious apps may corrupt your system’s configuration. prevent tablet from sleeping prevent phone from sleeping Allows the app to prevent the tablet from going to sleep. Allows the app to prevent the phone from going to sleep.
Hardware controls control flashlight Allows the app to control the flashlight.
Network communication view network state Allows the app to view the state of all networks. 18
Default power tablet on or off power phone on or off Allows the app to turn the tablet on or off. Allows the app to turn the phone on or off.
19
B
Ghost Radar and Scare your Friends
This application has access to the following:
Your location coarse (network-based) location Access coarse location sources such as the cellular network database to determine an approximate tablet location, where available. Malicious apps may use this to determine approximately where you are. Access coarse location sources such as the cellular network database to determine an approximate phone location, where available. Malicious apps may use this to determine approximately where you are. fine (GPS) location Access fine location sources such as the Global Positioning System on the tablet, where available. Malicious apps may use this to determine where you are, and may consume additional battery power. Access fine location sources such as the Global Positioning System on the phone, where available. Malicious apps may use this to determine where you are, and may consume additional battery power.
Network communication full Internet access Allows the app to create network sockets.
Your personal information read Browser’s history and bookmarks Allows the app to read all the URLs that the Browser has visited, and all of the Browser’s bookmarks. write Browser’s history and bookmarks Allows the app to modify the Browser’s history or bookmarks stored on your tablet. Malicious apps may use this to erase or modify your Browser’s data. Allows the app to modify the Browser’s history or bookmarks stored on your phone. Malicious apps may use this to erase or modify your Browser’s data.
Phone calls read phone state and identity Allows the app to access the phone features of the device. An app with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
Hardware controls control vibrator 20
Allows the app to control the vibrator.
Network communication view network state Allows the app to view the state of all networks.
System tools automatically start at boot Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the tablet and allow the app to slow down the overall tablet by always running. Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the phone and allow the app to slow down the overall phone by always running.
21
References [1] Access point backtrack 5. Website. available at http://teh-geek.com/?p= 512; on 29th May 2012. [2] Airpush homepage. Website. available at http://www.airpush.com/; on 29th May 2012. [3] Android homepage. Website. available at http://www.android.com/; on 26th May 2012. [4] Android market vs. app store prices: Why android users pay double [study]. Website. available at http:// searchenginewatch.com/article/2155122/Android-Market-vs. -App-Store-Prices-Why-Android-Users-Pay-Double-Study; on 22th April 2012. [5] Backtrack homepage. Website. available at http://www.backtrack-linux. org/; on 25th May 2012. [6] Flashlight on goolgle play. Website. available at https://play.google. com/store/apps/details?id=com.intellectualflame.ledflashlight. washer&feature=apps_topselling_free; on 25th May 2012. [7] Gartner says worldwide smartphone sales soared in fourth quarter of 2011 with 47 percent growth. Website. available at http://www.gartner.com/ it/page.jsp?id=1924314; on 22th April 2012. [8] Ghost radar on google play. Website. available at https://play.google. com/store/apps/details?id=net.ghost.radar; on 29th May 2012. [9] Google adsense homepage. Website. available at http://www.adsense.com/; on 29th May 2012. [10] Leedroid homepage. Website. available at http://www.leedroid.com/; on 25th May 2012. [11] Licenses - android open source project. Website. available at http://source. android.com/source/licenses.html; on 25th May 2012. [12] Scare your friends on google play. Website. available at https://play. google.com/store/apps/details?id=com.scare.yourfriends; on 29th May 2012. [13] Website goolge play. Website. store; on 22th April 2012.
available at https://play.google.com/
22
