A new “No Permissions” application from Leviathan Security illustrates how easily Android applications can bypass user permissions. In a perfect world, Android’s permissions system would help users make informed decisions about the apps they install. But, as the new permission-breaking app shows, we don’t live in a perfect world.
The goal of the “No Permissions” app is to make public the ease with which permissions can be bypassed. When you install the app you are not asked to give the app access to your device’s memory. The app then presents you with buttons that access data the app wasn’t given permission for.
Some of that data can be quite personal, such as your device’s identification number, the SIM card’s vendor ID and information about your device’s version of Android. The app can also read data from your SD card, which means it could grab all of your photos and video at any time.
Does this mean your device is at immediate risk? Yes, it could be if you frequently download new apps. Android’s permission model is supposed to keep you protected by keeping you informed, but any flaws that bypass permissions render the model useless. MakeUseOf advocates the use of Android security apps, and this is yet another example of why they’re necessary.
If you’d like to toy with the “No Permissions” app, you can download it from a page on Leviathan Security’s blog which also offers some explanation about how the app works.
Source: Android Community