We reproduce below the full text of the interview conducted with our Chief Operational Officer Javier Tallón, and published on July 26, 2019 in the newspaperEl País.
Context
"Hey @Aeromexico, why are you trying to use the camera on my cell phone?”. Duncan Tucker, a journalist of The Guardian newspaper in Mexico, asked a few days ago in this tweet why the airline was using the camera on the phone when he in addition had his permission deactivated. In this case, he had detected it by activating the "permission usage monitor", which is available for Samsung phones. Based on this example, I would like to investigate how you can detect when an application accesses a particular permission (if it is possible for both Android and iOS mobiles).
I would like you to tell me what you know about it and answer the following questions:
Given this news about this application and the reaction of the rest of users seen on Twitter, one thing we have been observing for a long time, is that users are increasingly concerned about the information that the applications they use every day collect about them.
Over the years, both Android and iOS operating system developers have tried to improve their permissions system to address this concern. For example, in the case of the first versions of Android, there was a list of permissions that the user accepted during installation and forgot forever, while in the newer versions, applications must request consent at the same time that the application makes use of these permissions, something that the Apple operating system did since the first versions.
In this way, an application requesting to use the camera will display a message to the user the first time it needs to use this functionality, at which point the application retains permission until it is uninstalled or explicitly removed by the user by entering the phone settings.
In the particular case of AeroMéxico, the journalist discovers that the application is using the camera (which could be lawful if it were being used to read banknote codes, for example) at a time when, judging by the tweet, it did not correspond.
The journalist was able to discover this thanks to the "Samsung Permissions Monitor", a unique application of these phones that detects when an application is trying to make use of a specific permission.
This functionality is especially interesting because it leaves a clearer evidence of what the application is trying to do as we use it.
It is clear that this kind of situations, in which the user does not know very well why an application is asking him for access to a certain part of his private information, are the ones that end up causing concern and opening the debate on what information an application really needs in order to function and make it more comfortable to use as opposed to what information is unnecessarily provided for the use of the company that develops that application.
On the other hand, the legislation has been updated so that there is increasing awareness of the importance of the privacy of user data. As a consequence of this awareness, we have recently experienced the entry into force of the General Data Protection Regulation (RGPD) which imposes considerable restrictions on the processing of users information. As a result of its application, some cases have already been seen in which developers have been fined for making illegitimate use of user data, such as the case of the football league application when it used access to the microphone of devices to detect bars that were not licensed to broadcast matches, although it is clear that there is still a long way to go and that the general population is still not aware of the value of their personal information.
Is it possible to detect when an application is accessing a particular permission? How?
At the beginning, you could say yes. So, if an application wants to access our photos, for example, it has to explicitly ask for permission first. Also, in both Android and iOS, the permissions that an application has access to are always reflected in a section in the device settings, from where they can be removed and granted.
However, this permissions management model has at least three weaknesses. On the one hand, there are a number of "basic" permissions that applications can use without having to ask the user for confirmation. These are, for example, the use of Bluetooth connectivity or Internet access. Beforehand, these permissions do not pose a threat to the security of users information, but they are always an open door to vulnerabilities that combine with other factors resulting in the filtering of information.
On the other hand, communication between different installed applications is an essential part of the functionality of our devices, but it can also be a threat. An application may be designed to receive requests from others and provide them with certain information to which they have had access. For example, a browser in which when you press a phone number on a webpage, make a request to the application in charge of calls. This behavior, which is very common in applications that we use daily, can be used by an application that does not have certain permissions to obtain information from another that does, thus avoiding user interaction and accessing private information without it having granted permissions at any time. Furthermore, in the case of Android, there is functionality that allows applications from the same developer to freely share the information they handle. This way, different applications with different permissions can end up sharing information to which they would not have access in theory.
Finally there is the fact that it is very possible that, as could be the case with Aeromexico, an application may request permission for a lawful purpose, but use them for additional purposes.
It is also worth mentioning that there are applications that offer an additional layer of control over the devices, such as antivirus tools or permission management such as the Samsung Permissions Usage Monitor used by the journalist. These applications do additional scans to those of the operating system and try to detect suspicious behavior. So, a tool of this type can also serve users to detect when specific applications exercise a permission.
Finally, even if an application does not have access by any means to a particular resource because it has not been granted a permission, there are always alternative ways of obtaining related information. These side channels can serve malicious stakeholders to obtain sensitive information from users despite not having direct access. An example of this could be using the device accelerometer to get information about the keystrokes a user makes when entering their PIN code.
Do you know of any experiments or research carried out in this regard?
There are a lot of academic papers on how smartphone application permissions are managed from different points of view. This ranges from statistical studies on the behavior of applications available on the market to analyses of malicious applications that exploit the negligence of other applications to steal our information, to give some examples.
Among the most noteworthy data provided by these studies, it is important to mention the number of permissions that the applications request from the user. This number usually ranges between 3 and 4 permissions per application, without considering the basic permissions that the application can use without requesting authorization.
In addition, it is known that the applications that tend to request the most permissions are those related to social networks and online shopping and that the most requested permissions are access to user files, the device camera and location services.
Is there an accessory or a way to prevent the mobile from sending data or an app from accessing it?
In this sense, it is difficult for an ordinary user to know what information an application or the device itself has access to beyond the permission control we have been dealing with. In addition, it is no longer only private information that they may seek to access, but also information that is collected as a particular device or application is used.
From a physical point of view, there are accessories called "USB condoms" that eliminate the serious danger of connecting your phone to a charger that we do not know where it comes from, such as those that we can find more and more frequently in shopping malls.
From a logical point of view, in the specific case of Android, there is a considerable difference in the quality of smartphones from different manufacturers. For example, in addition to the management of permissions made by the operating system itself, some manufacturers implement their own applications to control them to offer the user an additional layer of protection, in addition, as mentioned above, installing an antivirus is becoming increasingly important also on our phones. With regard to iOS, some additional improvements can be observed, such as information on why an application is requesting a permission or the possibility of granting it temporarily.
More often than we would like to, cases come to light in which known application developers, and even terminal manufacturers, collect information from users without their consent. Although the tendency is to think that the best known manufacturers are the most reliable, it is evident that large-scale user information traffic is a very lucrative business and in which most of the large companies in the smartphone world are probably involved.
In response to this, the ideal is to try to use devices whose security has been verified and certified by industry professionals independent of the manufacturers. For example, in Spain we have the LINCE certification, which has recently been published by the National Cryptologic Center and which is aimed at ensuring a basic level of security and testing this type of behavior in different products. A certified application or device gives a guarantee to the end user that it has passed a security check. This is probably the best way to verify that no more private information is being sent than the user wants to share.
Finally, the case of this journalist from Mexico especially catches my attention because when the airline accesses his camera, he claims to have the permit deactivated, is this possible?
In a first tweet, the journalist shows a message from Samsung Permission Usage Monitor that the Aeromexico application has tried to use the camera while it was not in the foreground. In a second tweet, it shows a screenshot showing how the application does not have permission to access the camera.
We can think that, when trying the application to use the camera, the permission monitor detects that there is a suspicious behavior and launches the alert, however, the application could never get to the camera of the device when the permission was disabled. In other words, Samsung Permission Usage Monitor is alerting of the intention and not so much of the execution.
In conclusion, an end user of a smartphone has the possibility of granting or revoking permissions for each of the applications it installs and these cannot, as far as is publicly known, access these resources if they are not explicitly granted access. Another kettle of fish are the operating system and certain pre-installed applications, which could access all our data without us being able to do anything to prevent it.
Article written with the invaluable help of Alberto del Río.
