Android libraries can share personal information with apps that lack permissions

Intra-library 'collusion' occurs when libraries are shared between multiple apps

Researchers have described a new form of attack that could affect Android phones, using shared libraries to steal personal data.

The Oxford researchers (Vincent Taylor, Alastair Beresford and Ivan Martinovic) call the method of theft ‘intra-library collusion' (ILC).

Libraries are a common target for attackers due to the abundant information that they hold. The researchers write, ‘Users fail to appreciate the scale or sensitivity of the data that they share with third-parties when they use apps'. However, previous research has examined apps and libraries in isolation.

Some libraries are shared between apps, which makes development more efficient and means that the software can be smaller. Taylor, Beresford and Martinovic write that ‘individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted'.

‘Many' popular third-party libraries can collect sensitive personal information from users, the researchers write; but Android's security model does not support the separation of privileges between apps and their embedded libraries. The libraries inherit their host apps' permissions, and the app developers must sometimes declare additional permissions to support embedded libraries. This is especially beneficial to advertising libraries.

Analysing 15,000 popular apps (with more than 1 million downloads each), the researchers examined apps to reach conclusions on their potential use for ILC. They found that the .com/facebook library was the most popular, used in 11.9 per cent of the apps they studied. Libraries belonging to Google Analytics (9.8 per cent) and Flurry (6.3 per cent) were also widespread.

On average, the researchers said, advertiser libraries ‘leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day'.

The threat from ILC is clear, especially on modified phones such as rooted or jailbroken models. However, countering it is a challenge; simply revoking privileges is not a viable tactic. Doing so, advertisers will have more difficulty targeting ads, making them less likely to use libraries. App developers also stand to lose revenue, so are unlikely to be interested in implementing such a solution. Data-passing APIs can also be used to share information between apps and libraries, even if privileges are revoked.

Other solutions include new legislation enacted by national governments, or major app stores changing their developer policies. The problem there comes down to the fact that ILC detection is difficult to achieve; the actual maliciousness takes place on third-party servers, not the user's device.