With the release of the new Android Nougat firmware, fresh security alerts were bound to pop up sooner or later. Rogue apps can access data from other apps on the device. The exploit was reported by Swedish cyber-security researcher Arne Swinnen. Google was alerted about the exploit and it’s reportedly fixed in the new version of Android.

The Rogue App Exploit

Apps have private data entries that are usually stored in the /data/data/ /directory The data is supposed to be accessible exclusively to its corresponding app. These data entries contain:

The app’s filename

Size

Last Modification date

The files can also include sensitive information. That information can then be detected by the rogue app and used to brute-force other apps. The exploit can be used to track the activity of other apps. Swinnen’s study tested the app of Instagram. Other apps are, of course, also threatened, like the Facebook official app.

The exploit is made possible by some excessive permissions that the Android platform had since the beginning and could be used to know the users:

Identity

Phone Number

Email Address

Social media accounts

Passwords

Location

Android Nougat and Permissions

The exploit can be neutralized by removing the directory permissions of the rogue app. A lot of apps demand more permissions than they deserve. A compelling case can be made that excessive permissions are necessary, most apps couldn’t make money to sustain their level of quality.

Most “free” content on the Internet is paid for by selling the data collection from users. It’s not considered a malicious activity because most Privacy Policy documents or Terms of use agreements are very clear about it. By merely using an online product you agree to play by its rules. Pretty much everyone on the Internet has scrolled through a privacy document and clicked “Accept” without reading it. It’s easy to imagine that some users haven’t read an entire web Terms of Use agreement in their entire life.

The Dangers of Data Collection

Rogue programs are something else entirely. While the data collection mentioned above aims to sell the data to advertisers, who use it for fairly benign reasons, like targeting ads, rogue apps are after confidential information, as we mentioned before. The rogue apps often find their way into user system through backdoors similar to the one described by Swinnen. Permissions are sometimes required by programs that don’t even do anything. There was a series of ValerySoftware apps that did nothing but show a black screen and demand all possible permissions.

Thousands of people still downloaded them. Users should be more willing to communicate with app developers and reject dubious permission policies. If an app wants way more than it gives, you should probably skip on downloading it. It’s a bad deal. While it’s unlikely that Facebook or Instagram are going to use your data for malicious purposes, they still collect it in data storages that can be accessed by third parties and rogue software. That’s where the danger of excessive data collection lies. This particular Android Nougat exploit was fixed, but

More Android: Quick Tutorial For Android Security