Privacy Issues in Android
Introduction
The primary motivation behind enforcing permissions in Android is to protect the user's privacy. In this article, we will be looking at some issues in this permission model and how that can compromise the user's privacy.
Severity of Issues
We will be categorising the issues as follows:
- Low Severity Issue
- Medium Severity Issue
- High Severity Issue
Here, the 'severity' is defined as "how severely does this issue affect user's privacy".
'Low severity' (indicated by 
'Medium severity' (indicated by 
'High severity' (indicated by 
Note
The issues being listed here are applicable till Android 10, Android Q, API 29. We're test the validity of all these issues on Android R and will update the results of it soon.
List of Issues
- An app can monitor the screen state of your phone without any permissions.
Android sends a broadcast whenever the phone's screen turns on/off. So, if an app is running a service (whether it's foreground or a background service), it can continuously receive a broadcast when the screen becomes interactive/non-interactive (and then get the actual screen state using [getState()](https://developer.android.com/reference/android/view/Display#getState())) and the app is not required to ask any permissions. In this way, the app can roughly figure out from what time to what time you use your phone and for how many hours you are on the phone everyday.
This issue's severity is marked as 'high' because this can be used to directly spy on a user and study his/her phone usage pattern.
Our suggestion to the Android team:
The screen state broadcasts need to protected with permissions.
Related links: ACTION_SCREEN_OFF and ACTION_SCREEN_ON broadcasts.
- An app can monitor when you plug-in and remove your phone charger and headphones without any permissions.
Android sends a broadcast whenever you plug-in your phone charger or remove it. This is also true for your wired headphones. The apps know at what time your plugged in your charger, at what time your unplugged it and thus how many hours you charged it. And the apps don't need any approval from you to do this.
But, we are marking the severity as 'low' because, this has some legitimate use-cases like, if an app wants to run an important long running task, then it can do so when the phone is charging to make sure the battery is not drained.
But there is a catch here. The apps can get some metadata about your charging. They can know how you are charging your phone, i.e., if you are charging it with your power bank/AC Charger or are you charging it with your phone connected to a laptop/PC through USB cable.
Related links: ACTION_POWER_CONNECTED, ACTION_POWER_DISCONNECTED and ACTION_HEADSET_PLUG broadcasts.
- An app can figure out at what time you switched on/off your phone without any permissions.
Android sends a broadcast whenever the phone is shutting down. Hence, an app which might be running a service can record at what time you switched off your phone. To start a service on boot, the app requires RECEIVE_BOOT_COMPLETED permission. But, the app can get the device uptime without any permissions and thus know at what time you booted your phone.
We are marking the severity as 'low' because, this feature has some legitimate use cases like a service can properly do the cleanup task and shutdown smoothly when the device is shutting down. But, device uptime is a system information and providing it to all apps without any permissions can lead to some privacy concerns for the user.
Related links: ACTION_SHUTDOWN, uptimeMillis().
- An app can get most of your device related information without any permissions.
All apps on your phone have access to the device information like the device model, brand, manufacturer, Android version, device uptime etc. without any permissions.
We are marking the severity as 'low' because, this has some legitimate use case. Information about your device can be used by app developers for debugging their apps.
Code example:
product = Build.PRODUCT;
model = Build.MODEL;
manufacturer = Build.MANUFACTURER;
buildTime = new Date(Build.TIME).toString();
brand = Build.BRAND;
device = Build.DEVICE;Related links: Build
- An app can keep a track of your WiFi/Mobile data usage without any permissions.
All apps on your phone can access your WiFi/Mobile data usage without any permissions. But, the WiFi data usage value might not be accurate sometimes.
We are marking the severity of this as 'medium' because, the apps can use this data for analytics. For example, if your data usage is high, then you probably stream a lot of video content on your phone and ads can be served to you based on that.
Code example:
long mobileDataUsed = TrafficStats.getMobileRxBytes() + TrafficStats.getTotalTxBytes();
long totalDataUsed = TrafficStats.getTotalRxBytes() + TrafficStats.getTotalTxBytes();
long wifiDataUsed = totalDataUsed - mobileDataUsed;Our suggestion to the Android team:
TrafficStats class should be removed. NetworkStatsManager is already present in Android. So, it's time that TrafficStats is removed in the future versions of Android.
Related links: TrafficStats
- An app can get a list of all the other apps installed on your phone without any permissions.
An app can get a list of all the other apps installed on your phone without any permissions.
We are marking the severity of this issue as 'medium' because, this data can be used for analytics. For example, Netflix can know if any of it's competitors like Hulu or Amazon Prime Video are installed on your phone. Also, the apps you install on your phone reflect your interests and ads can be shown to you based on that.
Code example:
PackageManager pm = activity.getPackageManager();
List<ApplicationInfo> packages = pm.getInstalledApplications(PackageManager.GET_META_DATA);
for (ApplicationInfo packageInfo : packages) {
String appName = pm.getApplicationLabel(packageInfo).toString();
Drawable appIcon = pm.getApplicationIcon(packageInfo);
}Our suggestion to the Android team:
getInstalledApplications() needs to be protected with permissions so that the user can decide whether to allow or disallow an app to use this method.
Related links: getInstalledApplications()
- Apps installed on your phone can get to know at what angle you are holding your phone, in which direction your phone is facing and can determine if you are moving your phone or not, all without any permissions.
Sensors like Gyroscope (used to detect rotation), Accelerometer (used to detect linear motion) and Magnetometer (used to detect direction) can be accessed by any app without any permissions.
The severity of this issue is marked as 'high' because, any app running a foreground or a background service can continuously monitor and detect even the slightest rotation or movement of your phone and create a 3D visualization of your body movements. This issue can turn any app into a spyware.
Our suggestion to the Android team:
In the future versions of Android, the aforementioned sensors need to be protected with permissions just like WiFi, Bluetooth, Camera etc.
Related links: Motion sensors
Proof of concept
You can practically test all these issues on your phone. We have built an open source Android app as a proof-of-concept for this article.
Repository: PrivacyBreacher
Contribute
If you find any discrepancy, grammatical mistakes, arguments or any rants related to this article, then feel free to open a Github issue.
If you have found new privacy issues or any of the issues listed in this article are already fixed, then please send us a pull request to add that.
Format to contribute new privacy issues:
< title or short description of the issue >
< issue severity badge >
< description of the issue >
< reason for why you assigned that particular severity >
< code examples (if any) and related links >
Author
License
This article is published under Creative Commons BY-NC-SA 4.0 license. "This license lets others remix, tweak, and build upon your work non-commercially, as long as they credit you and license their new creations under the identical terms."