Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?

Presented at DEF CON 32 (2024), Aug. 9, 2024, 3 p.m. (45 minutes).

Do you consider the list of mobile apps you use and the frequency at which you use them private information? What about the GPS coordinates of the cell towers to which your smartphone connects? The Android framework restricts third-party apps from freely obtaining this information – unless the user explicitly grants the app access. Android is a diverse ecosystem that comes with many benefits, but device vendors can still unintentionally expose app usage and device location in a variety of ways. We uncover privacy leaks of both types of data, where pre-loaded vendor software exposes app usage and location to co-located software. We also explore various local exposures of this data, where it is leaked to resources that do not require any special permissions or privileges to access. We discovered these leakages across several major vendors, including Samsung, Nokia, Transsion brands (i.e., Tecno, Infinix, and Itel), and additional vendors that utilize a pre-installed Qualcomm app for performance monitoring. We cover each of these exposures in detail. App usage reveals the subset of the apps that the user actually interacts with, which can be collected, combined with location data, and analyzed for advertising, profiling, and establishing user pattern-of-life. 1. [link](https://developer.android.com/develop/sensors-and-location/location/permissions#accuracy) 2. [link](https://developer.android.com/training/package-visibility) 3. [link](https://support.google.com/googleplay/android-developer/answer/10158779) 4. [link](https://developer.android.com/reference/android/app/ActivityManager#getRunningTasks) 5. [link](https://android.googlesource.com/platform/frameworks/base/+/2d7576b%5E!/) 6. [link](https://android.googlesource.com/platform/frameworks/base/+/refs/heads/android14-platform-release/core/res/AndroidManifest.xml#3080) 7. [link](https://medium.com/@amir.ghm/a-deep-dive-to-get-the-top-activity-name-of-currently-running-application-in-android-50e5f17f47d5) 8. [link](https://developer.android.com/reference/android/telephony/TelephonyManager#getAllCellInfo) 9. [link](https://developer.android.com/reference/android/telephony/TelephonyManager#getCellLocation) 10. [link](https://opencellid.org/) 11. [link](https://www.idc.com/getdoc.jsp?containerId=prUS52032524) 12. [link](https://gs.statcounter.com/vendor-market-share/mobile) 13. [link](https://source.android.com/) 14. [link](https://www.counterpointresearch.com/insights/global-smartphone-ap-market-share/) 15. [link](https://en.wikipedia.org/wiki/Transsion) 16. [link](https://www.simo.co/about-us) 17. [link](https://play.google.com/store/apps/details?id=com.skyroam.app) 18. [link](https://apkpure.com/simo-global-local-internet/com.skyroam.app/download) 19. [link](https://www.quokka.io/blog/vsim-vulnerability-within-simo-android-phones-exposed) 20. [link](https://7561470.fs1.hubspotusercontent-na1.net/hubfs/7561470/QKKA_Resources/Security%20Analysis%20of%20Simo%E2%80%99s%20vSIM%20Android%20Software_Academic%20Paper.pdf) 21. [link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41848) 22. [link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41850) 23. [link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41849) 24. [link](https://www.idc.com/promo/smartphone-market-share) 25. [link](https://developer.android.com/reference/android/provider/Settings)

Presenters:

  • Ryan Johnson - Senior Director, R&D at Quokka
    Dr. Ryan Johnson is a Senior Director, R&D at Quokka (formerly Kryptowire). His research interests are static and dynamic analysis of Android apps and reverse engineering. He is a co-founder of Quokka and has presented at DEF CON, Black Hat (USA, Asia, & MEA), IT-Defense, and @Hack. His research in Android security has been assigned dozens of CVEs and is responsible for discovering the Adups spyware that affected millions of Android smartphones.

Similar Presentations: