A Tale of Three Brothers: Three Android Privacy Bugs

yep like that you see it

you

yep

yeah

testing field same thing apply applied situations

you

[Music]

[Music]

there's something before related because that which you wherever you capture from the stock though the lawyer I'm not a lawyer a new lawyer so this is myself extremer this information can be used don't talk about some annual teachers first learn to understand these parts are Bob you can some Andrew probably model specifically so but ultimately we have phones and mobile phone apps from one of the issues that both Apple new faces how do you make sure their apps on the phone do some demolition began to travel around they don't against each other at the sandbox which I'm not really - the problem is you know you have a sign market segments from each other I do reach through the

net for each other so we example you have a Facebook integration for example

so the Android provides an enzymatic didn't give you consent and some other applications can receive the problem is by default and the open ended and it's on address 21 so any applicant same device can listen to the attempt to capture that data and include restricted to specific receivers people don't tend to do that so the other than the manual tasks in Android this is kind of like the top five is a little bit what the broadcasts are one of the other thing else if you again doing any programming so an identification consists of multiple components tivities their services begin a scope that is what they are but essentially linear each other is also pretend with your packing on you

get it what's app and sorry sending your message there has to be something there this kind of interview attention there's also common to be using intents so besides their applications communicate with among other applications in various comments the problem is that let's say you have a login screen in your application it does would have been sent along information server authentication it's open-ended in your app in C so if you don't do it properly and crispy juicy verb and any other application and anyway you can see that information very combination with engineering agents and then drew five of em try to fix this and whether it's under local broadcast 900 in your program within one application

it's an API that works on the documents in your application for this small sample but for our purposes of this talk what we need to know is that an application could send a message to another application if it doesn't properly restrict who is sending it to anybody else any other app on the device can see no permission required and also if the application fails to carry information in your napkin capture them this is a screenshot from their official application that entered provides this is kind of how it works so you have again activity is a component both its purposes jewels OS device the Falls faster even and some of the listening to it in capture if you wanted to visit the

Java version how you do this you notice there's two things there the action and the action is the name of the app so there's some system once all they see all the athletes to do on the receiving side listen for that action and whatever you want in there in a sense it's alarming if you do your Bitcoin you know privately someone device will capture now in terms of sort of how do we look at risk so you have ended phone yes a user should not solve a malicious app a user will discover so one of the things that we have to be reliant operating system to do you install the malicious app there has to be some situation but

there has to be sort of sort of simulation between different application components if someone does install the malicious app and assuming they don't fall for and they'll information just install the app that lets sort of you is it verse the first pieces so application send messages among each other if you don't properly use the functionality some of the application can capture it and can use it for themselves that's the first piece but not me no but the second one is again going back to the sandbox a there is a concept permissions now it's interesting is that permission in the operating system did a different encouragement purpose of permissions and naturally that before modification does something

sensitive for example of application or pseudomonas publication or certain text messages or an application needs access to something that you have contacts portals to be able to see you front of that fire there those are full permissions natural I'm going to stress again they're not operating system permissions they're very different this is simply that an operative indicates that an application I want all the West this is what I need to know these things are done statically so the certification that goes to those are the main Android has a manifest it's not if you want to take a look Donald apk that's the packages and authentication there's a Google ad at the Rana Pratap who spit out for permissions they're

using those permissions actually go directly into the little place storms when you can application there's buried within every distinct information instruction English to see what applications one of the delegation is requesting that's not the directly from here and Google does more stop with that for example sort of permission economic West they're the mission did you want any presents with the App Store presentable accessibility the ability permissions is something that's a very heavily abuse to Google Inc economic core hardly right now it was going to Google Apps and pull up all the apps and happen permission what happens with permissions again I need to use the border but that's what they're cold is there you come out for you as a user

and they come up in many different places most of them come up with installation talk when you put them stall permissions it's not a great control but it's better than nothing now what's happening is s each version of Android things like listening to the messages that have its limitations the promise sometimes you may happen every single time so now there's a little farm theater one is that I'm an application developer I included permissions in with the actual operating system nas of the particular version of the operating system particular Bandera tender on Google and then may come up differently depending on which version where they happen and what certain things but the concept here is that the purpose of

revisions is that medium application developer should not be able to get access to something that is uncynical at its data but as a future without the use it no matter some permissions can always be accessed on a frank system nakatsu again if you take a look is he go further outbursts seven eight nine Android the amount of certain conditions increases there an important point so we just talked about the temp permissions have no connection to enhance if you're enhan descending around X messages for fallen or lacking information not having the permission to access it at one company because isn't smart enough to go through your messengers and start parsing are polymers if that's not the

purpose to different features different security controls so the bottom line is again is that just go back as the two things that we need to know one is that every patient and Iran has ability to send receive messages and those are not necessarily unless you take the effort to control them they're not control Simon every patient has requests permission before it does something for permission anger is one of most absent now so this is kind of funny no for this here are some examples that's a natural permission it's very much in that I'm an application developer I contribution to seven taxes a lot of Asians have captured like you could actually revoked it afterwards this is also examples from the

communication this point that actual thing loops bike that's install time on the left the middle one is the first time you're on the app and this one actually what happens every single time little dialects have never asked again so that's what's supposed to have within the metric in a perfect world before and that doesn't mean that is supposed to ask you for permission before it doesn't now I'm obviously you just can't be fooled into again because there's a different problem that's how about I'm going to be discussing here now there's at the part I'm actually don't talk about the disclosure so what I'm going to talk about do be someone to talk it's called able to be rather than familiar the

Harry Potter reference because all the box comes from the same source so in this section I'm doing exactly what they do I mean they're from they kind of figured out what the Box are little so what could be specific do you mind they're separate because they're so that's we just talk about hands they're simple you know somebody else it's what yeah stuff Android operating system sent attempts all the time it's very useful because for example if you have an application that need to know the phones all the time you can same thing applies if the operating system fails to see in a district where the same is done which they will not because the whole purpose of operating system

sending this information is for application developers and other apps to capture them even if you need permissions so for example the diary system is going to send your Wi-Fi data through the message system our message not having Y permissions on your app because so the rule of the bhaktir is [Music] the vendor failed which is Android Open Source Project Google whichever way you wanna slice it they have failed to securely features will happen system regulators something pants that happened on every single language on the world both cases they sent sensitive data back and forth every African captured no special permission is needed this is not a security feature this is not a security bar what happens

in this case the so all those so again it's now in most permissions nobody has to know the dhobi teleport so that's you know the basically the bottom line here is is that just to go back to what the bug is if you have messages that are flying back and forth from the operating system and whatever they want with that and the permissions dropped and Android the mission normally should protect these does not move the actual box that is free now the disclosure process here was complicated I have the problem for the role file together with march eventually I have insufficient happened to be different box it was as explosion prophecies knows it wasn't the most harm that it wasn't

great so they are split up and be different once they see this I'm also different because as I'll show you there now the first one here so it finds a little bit of sort of background knowledge it's actually better information now if you're not familiar with all of this city without programming they used to be an API in browser that gives you better information and what this point we have because what happen was about a year after and specifically you put the tracking respawning as a result it's one of the very few cases where the w could see and which go on API from public consumption so many problems the reason why this was an issue is because the the purpose of

this world is that if your battery's going down the app should not be doing something very very your if your website run apps or the events that happened to be my fifth point you want to start mining Bitcoin but it's doing that hopefully in mind the universe is not convinced now the problem was is that I didn't give you a number very very detailed number very very high entropy number and based on how often the number change you have to track the phone because every different thing no respawning and it's funny it means you have a manners everyone is a different card level because depending how the battery is depending which follow this within the couple of minutes they

different websites and you can check their battery levels the better levels in that job just the example you look in the paper it's actually the fire and the basically they make a decision I was interesting the researchers original paper well all exams all the paper said that you should make it so along would make if I want you know very very not a granular however the Dominic we see in the browser makers one step further this ionic strength it'll be good so this is all for the web now this little bit with Android and rather that's a problem and there's problems of course so Andrew suppose the same information however unlike the Firefox implementation where it's kind

of derived it from the power demon and just straight up needed to some of the values that gives here now if you notice that the unity of the valley my path your hours as opposed to divide with the I there's two ways the dissonance post once as opposed to today with the variant battery manager and all of these fogs this some sort of Nagant exists to pulled it out unity Commission now I happen to see the thing that there is a memory part the issue of information without is more information about its Empire later we this

[Music]

except if I'm a little bit apprehensive science spending this information in the web I would never surprise that because

Google has come from very very in that you either control developers or that other person is developers not attract devices if you want my that defy the device we want you to use so so that's the personal second one is the person basically data information disclosed just food tents second wants them to call our SSI at the end of this hasn't been disclosed before so what is that our society so what I said Satan's trap so we knew by fighting seller connections our society Angelou comes from uc1 now it's not a real value

that's the exercises what is the problem with our society give you spend if your location so injured indoor geolocation person to go for publication numbers if you are in the shopping center you can actually see and they know which areas gets the system we can they detract if you looking around but it's not accurate

essentially is you would send some sort of very important point this information without profession you need the provision for accesses so

so I mean in fact any more trauma one staycation are going to take all of that back end what's the issue here

there was a stream their responses March with nine days since the however there too

for is very very and that's why it's so

[Music]

interesting is the democraty on version sets and roots it's an iron Lulu said hey we don't want people devices if you have to divide by APR damaged earlier

[Music]

but for a while well there's one interesting one of the problems that's too intense I want to sue them but not so my suspicion is the debt hiding on the phone but but they bypass what Android South provides as a control permissions they also buy the MACD they won that 99 the lines are clean up first we disclose this one we didn't disclose this one in more in the first two so far benefit indicate would like to do the last two were accepted as real security the first one change sometime next week I'm an opposition