The Android application sends a request to access the resource data, which the user ultimately rejects. The theory dictates that it is therefore safe. Researchers have a different opinion.
In a publication with an unambiguous title 50 ways to leak data we can read that the Android permission system is just a safety illusion. A group of a dozen or so experts from renowned research facilities, such as the University of Calgary, the Charles III University of Madrid and the University of California at Berkeley subscribe to this. At the Usenix Security '19 conference on September 26, the topic was examined by Joel Reardon, one of the authors of the work.
According to him, there is no major problem for a malicious app without the user's knowledge to even be able to make calls or send text messages.
Not one gap, but a whole lot of it
What's worse, apparently it is not about one particular hole, but a whole lot of security errors both in the Android system itself and in several popular developer toolkits (SDKs). Therefore, it is impossible to specify the most likely attack vector, and thus it is very difficult to defend against a possible cyber criminal.
The researcher explains that as a result of improper operation of system instructions controlling permissions, access to sensitive subsystems through the side channel can be obtained. It also describes an attack based on inheritance of permissions by apps written in the same SDK, paying special attention to the Salamonads, Baidu Maps SDK and OpenX SDK tools. In total, they are used by several million applications and each is a potential threat.
Simply put, you only need to grant permissions to one application only, and the other using the same SDK will take over the privileges through the previously created files.
IMEI and MAC address at your fingertips
Equally easy and of course also without the user's knowledge is downloading data about the device, including IMEI number and MAC address of the network card. Applications written using the Baidu SDK store IMEI in the device mass storage as a file encoded in Base64 format. Reading is a formality, which – as disclosed – is even used by Disney. Popular Unity, on the other hand, sends a hash MAC address in one of the system calls, treating it as a unique device identifier. Again, reading the content is a formality.
Apparently, the situation looks a little better only on Android 10, but only a few users use it. At the moment, being very suspicious, every app should be treated as a possible threat. Of course, I don't encourage anyone to be paranoid. Nevertheless, it gives food for thought. You need to believe in the integrity of creators more than in the quality of security.