XPrivacy- Dealing with Data Leakage in Android Apps

There has been a significant increase in the number of Android users across the globe in the recent years. And all the end users depend on Google’s Play Store for installation of applications. Google’s Play Store is considered to be a trusted repository of applications, because Google verifies the app’s content, author etc. certifies it to be safe and then hosts it on the Play Store.

One can reverse engineer an app, add malicious contents and host it on Play Store again, with the same name, in order to trick users. It is at this point, where we have to be really careful. Once the app is found malicious, it would be automatically uninstalled by Google from all the devices that has installed it, but we cannot wait for that to happen. Suppose the malicious content that was added to the app, is capable of sending data stealthily to a remote server and there are no visible traces of it. Unless someone figures this out and reports to Google, or Google finds this on its own, this app will go on spreading all over the world stealing data.

The trustworthy app can be recognized by the crowdsourcing method. The number of downloads of any application is a good indicator of trustworthiness.  A well-known app, will definitely have several thousands of downloads. But this alone, is not a measure of security, meaning, seeing a huge number of downloads, doesn’t mean that the app is secure. It just means, so many people have downloaded and used it, and there are no ‘visible’ security flaws as such.

You must have installed an application on an Android phone at least once. While installing, an app asks for permissions to access several other applications on your phone. Most of us, do not even take time to read through what all permissions the app asks for, and we go ahead and click on the ‘Allow’ button right away. Have you ever thought why this app, say X, requires so-and-so permissions on your device? Let me give you an example. You must have used the Pokemon Go app. Why does this app ask for permission to even modify your contact list! When you feel like the app X does not require permission to apps like Gallery and Contacts, is it possible to deny permission to Gallery and Contacts alone, grant permissions whichever you feel is required, and still install the app?

The answer is Yes! You can selectively deny permissions for an app and still install it successfully. Therefore, you are the one who ensure your privacy. Why blame the app owners for what they are taking from you? In order to install an app, you have to give permissions, and when you give permissions, you are giving full rights to the app owner to steal whatever data they want from your device! Privacy matters a lot, and it is in your hands.

Now coming back to the point, how do we selectively deny permissions for an application? There is an app called XPrivacy, which helps you achieve this. All you need is a rooted Android device. When you buy an Android phone, the manufacturers might have put some restrictions on the device. Rooting is a process by which you can overcome those restrictions and get privileged access. Rooting also facilitates the entire change of OS present on your device by default (which is called as the Stock ROM). After rooting, you can install a custom ROM of your choice, like CyanogenMod, Paranoid Android, Omni-ROM, MIUI etc. This process is called Flashing. Most of the users don’t understand rooting. (In case you want to read upon this, I am giving you this link to my blogpost, in which I wrote how to root a Sony Xperia E device. Click here to read more . The blog post is exclusive for the Sony Xperia E device). Rooting methods differ from device to device and version to version.

Now, let us think about how this XPrivacy app is able to do selective denial. A group of developers on the famous forum of Android, the XDA Developers forum, has developed a framework called Xposed, consisting of several modules, one of which is XPrivacy. The app works based on a mock response mechanism. Once this app is installed on your phone, for every other app that you install, when it asks for permissions, you can decide which one to be granted. The rest of the permissions asked by the new app, will be tricked by sending a mock response, as in, it will send an empty template as a response to the app. To understand this better, let me illustrate an example. Say you have to install a new app X. You found it on Play Store, clicked on Install, and then it is asking for permissions to access your Contacts, Location, Calendar and Gallery.

You feel that the permissions asked for the Calendar and Gallery are legitimate and must-have, but you don’t think there is a need to access your Contacts and Location. Since the XPrivacy app is already installed in your device, it runs in the background, and allows you to select only what is required, i.e., the Calendar and Gallery. The rest two, namely, Contacts and Location, are responded with fake data or an empty template of Contact list and Location, so that, the app feels that everything that it asked for is granted, and you ensure that there is no leakage of data at the same time. We can also do selective denial/grant of permissions for already installed applications too. The following is a screenshot of the XPrivacy app.

Fig. 1: A glance into the XPrivacy app [Source: Google]

In the above screenshot(Fig.1), you can see a checkbox for every app present on the device, where you can select/deselect. The XPrivacy app is released for Lollipop and Marshmallow versions as well.

Hence, the key take-away is, pay attention while installation of applications on your device, and do not give away too much. Take time to check what is really required, and grant access on a need-to-have basis. 


Authored by Priyanka Shetti
TCS Enterprise Security and Risk Management

Rate this article: 
Average: 2.2 (18 votes)
Article category: 

There are 7 Comments