(15 December 2014) The Office of the Privacy Commissioner for Personal Data ("PCPD") had discovered that it is possible for an Android app to read the shared memory in a mobile device running on Android 4.3 or earlier versions without the need to make a prior declaration on permission.
2. Android had all along worked on the model that, prior to app installation, all intended access to data stored in an Android device would be fully disclosed on the Permission Page1. Otherwise, no data can be accessed. However, PCPD's tests have revealed that it is possible to develop an app that can read the memory of Android devices, including photos, files, and any data other apps choose to store in the devices, without the need to inform app users on the Permission Page. Although the flaw has been corrected for Android 4.4 for access to the shared memory, it is still a cause for grave concern as partial access to the internal memory without prior declaration is still possible for Android 4.4. Furthermore two-thirds of Android users are still using devices running on earlier versions of the platform2 and some of these devices could not be upgraded to Android 4.4.
3. The following table summarises this permission flaw uncovered by using PCPD's test app (File Explorer3 developed by PCPD Developer and available under Google Play Store) which does not declare its access to the device's memory: -
| Android versions on devices | Any permission shown under Permission Page? | Access to shared memory4? | Partial access to internal memory5? |
|---|---|---|---|
| Android 4.3 or earlier | No | Yes | Yes |
| Android 4.4 | No | No | Yes |
4. The PCPD had contacted Google Inc. since August 2014 and confirmed with them the existence of the flaw. Google Inc. was formally requested on 27 November 2014 to take corrective action and/or warn the end-users concerned that they are subject to the risk of data access by malicious apps without their knowledge and permission.
5. The Privacy Commissioner for Personal Data, Mr Allan Chiang, commented, "As technology evolves, consumers are giving up more and more of their personal data, often without even knowing it. As such, it is increasingly incumbent upon all stakeholders in the digital ecosystem responsible for the collection and use of personal data to take greater care and responsibility to safeguard the privacy of consumers. They include not only the organisations collecting data directly, such as app developers and software companies, but also the infrastructure companies and device or operating system manufacturers."
6. "I expect technology giants such as Google Inc. to live up to this privacy promise. It is imperative for them to practise Privacy by Design by embedding privacy by default into the design and architecture of IT systems, not bolted on as an add-on, after the fact. To say the least, it is disappointing to know that Android, as one of the major mobile operating systems, has this flaw," Mr Chiang added.
7. As a means to remedy the problem, PCPD advises app developers to encrypt data they store in the shared memory of mobile devices to guard against unauthorised access or leakage6. The PCPD further advises consumers that if they need to consider storing sensitive information in the mobile devices, protection by encryption is recommended7.
- End -
1 http://developer.android.com/guide/topics/security/permissions.html
2 Figure from Google Android Developer Dashboard dated 1 Dec 2014
3 https://play.google.com/store/apps/details?id=com.pcpdappdev.fileexplorer&hl=en-GB
4 Typically shared memory stores photos taken, files downloaded and any data other apps choose to store therein.
5 The app is able to read some internal memory, such as the contents under the folders /system/app/ and /system/bin which may contain sensitive information about the device. Given the limited knowledge on how Android works at this very detailed level, PCPD is unable to ascertain the privacy implication of such access at the time of the media release.
6 See guidance in PCPD’s Best Practice Guide for Mobile App Development at www.pcpd.org.hk/english/resources_centre/publications/guidance/files/Mobileapp_guide_e.pdf
7 See guidance in PCPD’s Protect Privacy by Smart Use of Smartphones at www.pcpd.org.hk/english/resources_centre/publications/booklets/files/smartphones_smart_e.pdf