Android critics often point to the operating system's lack of control over apps as a threat to user security, and this is yet again proving to be true.

Security firm Leviathan Security has discovered that apps with no permissions to access system resources are still able to view sensitive data without the user's knowledge. Worse yet, through a few extra steps, a malicious app might be able to get that data off of the device using the Web browser.

According to Leviathan Security, at least three types of information can be accessed by any app, regardless of its permissions. These types of info include files on external storage, files stored by individual apps, and device information.

Android allows any app to read all files on external storage by default. This might sound harmless, but Leviathan researcher Paul Brodeur has discovered that some apps store sensitive data--such as network access information--to the device's SD card.

Apps can also fetch a list of installed applications on the device, and, from there, scan for files associated with those apps. iOS developers have recently come under fire for failing to secure data--Facebook, Dropbox and others have been found to be storing authentication information in plain text--and there are likely many Android apps with equally poor security.

Finally, Brodeur discovered that all apps could access basic device information. While an app is not able to read a device's unique identification number without the correct permissions, other identifiable information is easily accessible.

Getting the data off the device is not straightforward, as network access is restricted unless the application has the correct permissions. Still, there is a way for attackers to surreptitiously steal your data.

“In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls,” Brodeur writes. In plain English, this means successive requests to open the browser and send strings of data can be done entirely in the background, so the victim never knows it's even happening.

For more tech news and commentary, follow Ed on Twitter at @edoswald, on Facebook, or on Google+.