Android's security policy can allow apps that have "no permissions" to harvest data from devices without the owners' knowledge.
Paul Brodeur, security researcher with Leviathan Security Group, has created a proof-of-concept app that shows how an Android application which doesn't ask for any security permissions is still able to get access to data stored on SD cards, data stored on the handset by other apps, and information about the handset and handset's Android ID.
Brodeur was first able to grab a whole bunch of information off the SD card, including "photos, backups, and any external configuration files" including, rather worryingly, OpenVPN certificates.
"It's worth noting," says Brodeur, "that even though the Android developer docs state that there's no security enforced upon files stored on external storage, many things are stored on the SD Card."
He was also able to fetch the /data/system/packages.list file to discover what apps are installed on the device, before going on to scan each directory used by those applications to determine whether sensitive data can be read from those directories. His proof-of-concept app returns a list of installed apps and a list of any readable files. What's interesting though is that when testing for this in the Android emulator, he is only able to read the app's own directory, but real devices allow some files belonging to other apps to be read.
Brodeur believes that this technique could be used to find apps with weak-permission vulnerabilities, such as those that were discovered in Skype last year.
Finally, Brodeur's app is able to read the device's the GSM and SIM vendor IDs and the Android ID, but not the IMEI or IMSI. The Android ID could be used as a way to identify a specific handset.
Once the app has harvested the data, it can then be sent anywhere by using another trick that doesn't require permissions --- firing up a browser and using GET parameters in the URI to pass the data on to a third party. This can be done even if the app doesn't have focus, and according to Brodeur, can be used "for transmission of large amounts of data by creating successive browser calls."
Brodeur has tested his app on running Android 2.3.5 and 4.0.3. Both the source code and application are available for download.