This is the third chapter of our five-part series on Android security, in which we explore the wild tales, past crimes, and current, steadily improving state of Android security. If you’d like to find out more about our previous topics, please click the links below.

  1. Software updates
  2. Device encryption
  3. Data leakage
  4. Malware
  5. Network threats

The daily dangers of data leakage

These days, we’re storing more and more personal and company information on our devices. This can include simple things like business contacts in the phone book as well as other content such as contracts and other sensitive information. By installing apps and accepting the terms of use and privacy policies, we provide authorized access for the app developer to collect this data.

  • Contact information
  • Messaging history
  • Location data
  • Photos and their metadata (including geotagging)
  • Phone manufacturer, model, serial numbers
  • Lists of installed apps
  • Wi-Fi network names

This information is invaluable to the ad and tracking industries who can use it to track you, your friends, and whom you’re with to get more business out of you. Better understanding users and their habits helps with app design and serving relevant ads. The absurd demands to access personal information is demonstrated by Android flashlight apps, like the ones in Figure 1. In fact, apps requesting excessive access have become something of a scare.

Flashlight Apps

Figure 1: The classic example of how Android flashlight apps access the personal data Source: Android Authority

What’s more, apps may have flaws that allow unintended data leakage, as conducted by other apps on the system. This occurs when apps store sensitive data outside the app sandbox, or locations accessible to other apps. Such locations include clipboard caches, system logs (mainly in pre-4.0 versions of Android), keystroke caches, and much more. Poorly configured software frameworks or compilers may also facilitate leaks.

All this amounts to something quite similar to what security certification and training organization SANS institute defines as data leakage: the unauthorized transmission of information from within an organization to an external destination or recipient.

While it can be argued that accepting the terms of service means the data is not involuntarily shared, how often do you read the policies before clicking accept, even on your work phone? Considering the implications, data privacy is worth analyzing and thinking of as such when formulating mitigation strategies for businesses.

Apps permissions on Android

One of the problems facing all but the most recent iterations of Android is the inherent lack of granularity in how the system grants access to user data stored on the device. This means that in Android versions below 6.0, for example, camera, contact and location permissions are simply bundled together at install time.

However, since Android 6.0, Android has gained the ability to ask the user for permission to use the camera, location and other aspects of the device, like Apple’s iOS.

App Permissions on Android

Figure 2. Android 6.0 and later adds much needed granular app permissions

In versions prior to Android 6.0, camera, contact and location permissions were simply bundled together and users agreed to granting an application permissions to the whole bundle when the app is installed. This created an outcome in which some app developers abused excessive access to data – including contacts and messages, often to sell the user’s personal data.

One publicized study revealed such issues with numerous instant messengers in 2016, and another study revealed that App developers use a variety of techniques to reverse engineer personal information from in-app ads.

So, what’s the impact?

As described above, leakage is usually authorized by end user license agreements and terms of service for all kinds of popular apps, from Facebook to Uber. For instance, WhatsApp’s policies are quite readable, and frequently point out that the Facebook subsidiary uses end-to-end encryption to render themselves unable to read user messaging. The policies also make it clear that metadata (e.g. which phone numbers are in contact, when and where) is shared with the parent company to boost Facebook’s ad network.

However, regardless of what these policies say, companies will be responsible for data leaked from devices under the GDPR. Specifically, apps that gobble up contact information from business phones could turn out to be extremely problematic.

Android has largely caught up with Apple in terms of offering user choice (see Figure 3) for handing oversensitive data to apps. Yet, even well informed users often install and use instant messaging and social media apps without much consideration for the ramifications. 

WhatsApp Access on Android

Figure 3. Android offers user choices for handing over data

Unless stopped by technical solutions, users will probably continue providing apps they’re using with access to whatever the apps ask. In a corporate environment, this, together with the legal and business risks, places the responsibility to protect information on IT departments and service providers.

What are the best mitigation strategies?

A key part of the answer to the big questions about Android security is to accept that the platform has matured recently. When security is important, Android fleets should at least be updated to recent models running versions 6 or 7 where app permission control allows for increased security.

Focused releases and documentation of vendor-provided security updates and disk encryption are in place only in flagship models from the past couple of years. For example: Samsung’s industry standard page with lists of security advisories only goes back to 2015 and LG’s to 2016. This, as well as a support lifecycle of only three years after hardware release, even for the new Google Pixel, add weight to the argument for refreshing phones.

Additionally, in terms of doing something about the plight of mixing personal and corporate data on devices with snoopy apps, Android holds a real ace up its sleeve. With phones running Android 5.0 or above, administrators can set up and manage work and personal user profiles for end users. This way, personal apps cannot gain access to company data stored in the work profile. (We have covered this previously here in our blog.)

This is probably as close to solving the problem as we’re likely to get for now, while retaining productive smartphone use. The undermining of the privacy of company employees through their own choice is regrettable. It’s also part of the overall trend of internet services being built and monetized around the collection of data which, in aggregate, provides a chillingly detailed portrait of users.

As a summary companies should:

  1. Update the Android device version to 6.0 or newer.
  2. Enroll devices to Miradore EMM.
  3. Separate personal and business data with Android Enterprise Solution.

We believe these challenges demonstrate why EMM products like Miradore Online is an absolute must.

There we go, a brief look at Android data leakage. Our next topic in this series will be malware, so stay tuned.

Valtteri Kekki

Valtteri Kekki

CTO at Miradore Ltd
Valtteri Kekki is the CTO of Miradore. He has been with the company since 2011 and is also an experienced software developer. Valtteri holds an M.Sc. in computer science from Lappeenranta University of Technology.
Valtteri Kekki