Can any closed source app but dont demand any permission be harmful?

Mahem · November 24, 2020, 7:57pm

I have used many apps which dont demands for ops permission work offline , less battery consuming than the google apps work great such as xplorer (fewer permissions), musicolet mp3 player (no permissions)

List item Can such apps be issue for data privacy ?
List item If yes how would they transmit our data ?
List item Can any app communicate with another app installed in the device in the backgroud?
List item Can any game installed in a phone access internet browser app of the phone ?

kingu · November 26, 2020, 7:27pm

Android is not a perfect system, if you grant someone access to run software on your device, my guess is yes. At best, you don’t know that it is a no.

Licaon_Kter · November 26, 2020, 8:54pm

Yes, for all, eg. via Google Services, via intents, via URLs (GET/POST)

Mahem · November 26, 2020, 10:28pm

What if any corporate app mandatory to enter in the premises of the company?
Will it work without google service ?

Licaon_Kter · November 26, 2020, 11:34pm

You should ask them, depends on how they authenticate, bluetooth? nfc? fingerprint? Are servers involved? Who knows… I mean they do.

sschueller · November 29, 2020, 4:56pm

Older version of android (pre 10) would permit you to read the clipboard on change without requiring any permission (in the background).

You could also take this collected data and encrypt it, then send it as a stats event to google analytics (not sure if google stats works now without network permission, it would however queue the items until you are online).

Once the data is in google analytics you can pull it via API and decrypt it.

hans · December 2, 2020, 9:56am

The Android permissions have limited functionality for protecting privacy and security. For example, it is possible to have an app that requests no permissions, but still provides a remote access shell: https://threatpost.com/android-application-allows-remote-access-no-permissions-required-122011/76017/

Mahem · December 2, 2020, 11:04am

Yes hans, I have seen and tested one application on our fdroid which is created by one of our friends to show how any app can access whole applist, proximity sensor without any permission. I forgot the name of app but I have tested that app on my device.
PrivacyBreacher (showcase privacy issues in Android) - https://f-droid.org/packages/io.nandandesai.privacybreacher

Mahem · December 2, 2020, 11:18am

How to find out if any app is accessing without any permission ?

hans · December 2, 2020, 11:54am

I don’t think you could tell if an app is calling specific API methods
at runtime, that would be possible with static analysis of the APK.
Basically, make a list of the method calls, then use apkanalyzer or
dexdump or something to see if it is calling those methods. Likewise,
you could look at the AndroidManifest and the methods to see if an app
is setting itself up to receive specific broadcasts from Android, like
PACKAGE_INSTALLED.

system · January 31, 2021, 11:54am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.