Application developers do not care about user safety, which leads to data leakage (with examples of java code)

Digging in my android phone, I noticed that there are directories and files in the / storage / sdcard directory - applications that I deleted a long time ago, so I asked on toster.ru Can one Android application read temporary files of another application?

What kind of temporary files are these and why should I pay attention to them? These are your photos, records of telephone conversations, databases of your diaries.

Android has a shared directory / storage / sdcard. All applications write temporary files there, and when you delete the application, the data from it remains there, if the developer did not take care to delete them.

Therefore, I asked these questions on toster.ru:

1) By design, the system does not delete these temporary files from this directory?
2) Android does not know which files belong to which application?
3) Can one application read data from another application from this directory?

User NeiroNx wrote:
/ data is quite clearly divided by rights - without root access applications do not even see what files are there.
I answer NeiroNx : Wait, here I just downloaded the file manager from google.play and read temporary files from the directory of the popular messenger, and there the photos that were sent to me are unencrypted, my device is not rooted.

User dobergroup wrote:
What is the path of these files? If they are in an arbitrary directory on a partition that is in fat32, then shared access cannot be applied to them. Therefore, it is necessary to clarify what exactly you mean by “temporary files”
I answer dobergroup : The path / storage / sdcard should not be confused with / storage / extSdCard, here are the “temporary files” of all installed applications on my device: instant messengers, sip telephony with unencrypted records of telephone conversations, browsers with browsing history, players with their playlists, social networks, diaries, with personal records of urgent matters.

By temporary files, I mean one thing, and application developers are probably different if the developers of the whatsapp messenger with an audience of 33,000,000 store unencrypted photos and encrypted correspondence there. Whatsapp is just an example, almost all popular applications store your personal data in / storage / sdcard /% appName% and any other application has access to this directory.

For example, this messenger stores photos that were sent to you in a directory that all applications of your device have access to, if they have permission to work with the storage:


* photos from a free photo hosting licensed under Creative Commons CC0 . 1 , 2 , 3 , 4 .

But the popular sip client stores the settings of your sip account in the same place:



Can any other application read temporary files?


That is, someone can post the game “2048 - play on the network with friends” on google.play and carry photos of half-naked girls from your phone?

I decided to check this out and wrote a small java program for android. She sends the directory structure / storage / sdcard to email.

Source. It sends the directory structure / storage / sdcard to email:
package android.com.testapp;
import android.content.Intent;
import android.os.Environment;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import java.io.File;
import java.util.Date;
public class MainActivity extends AppCompatActivity {
    Button emailButton;
    EditText email;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        email = (EditText) findViewById(R.id.email);
        emailButton = (Button) findViewById(R.id.emailButton);
        emailButton.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                getFileStrucure();
            }
        });
    }
    protected void getFileStrucure(){
        Filewalker fw = new Filewalker();
        fw.walk(new File(Environment.getExternalStorageDirectory().getAbsolutePath()));
    }
    private class Filewalker {
        private int count = 0;
        private String sked = "";
        public void walk(File root) {
            count++;
            File[] list = root.listFiles();
            for (File f : list) {
                if (f.isDirectory()) {
                    sked += "time: " + new Date(f.lastModified()) + ", dir: " + f.getAbsoluteFile() + "\n";
                    walk(f);
                }
                else {
                    sked += "time: " + new Date(f.lastModified()) + ", size: " + f.length() + ", " + f.getAbsoluteFile() + "\n";
                }
            }
            count--;
            if (count == 0) {
                sendMail(sked);
            }
        }
    }
    protected void sendMail(String sked) {
        Intent i = new Intent(Intent.ACTION_SEND);
        i.setType("message/rfc822");
        i.putExtra(Intent.EXTRA_EMAIL, new String[]{email.getText().toString()});
        i.putExtra(Intent.EXTRA_SUBJECT, "android storage structure");
        i.putExtra(Intent.EXTRA_TEXT, sked);
        try {
            startActivity(Intent.createChooser(i, "Send mail..."));
        } catch (android.content.ActivityNotFoundException ex) {
            Toast.makeText(getApplicationContext(), "There are no email clients installed.", Toast.LENGTH_SHORT).show();
        }
    }
}




You enter an email, the application sends the directory structure / storage / sdcard, as you understand it, you can do this without asking for an email and send, not only the directory structure, but also the files themselves. It is unlikely that google.play thoroughly checks the applications that are there. Unfortunately, this is a very good tool for layout experts, they always want to know as much as possible about their users, not even talking about the fact that in this way you can get personal data.

But what letter comes to you with the content / storage / sdcard, there will be all the files and directories of applications installed on your device:


* There are no directories and application files from google.play that are on your mobile device that you use every day Is the sdcard directory of the android emulator.

Link togithub repository for informational purposes.

View your / storage / sdcard directory with any file manager for android, also, in my opinion, it is available when connecting a device to a PC like / phone, if you use instant messengers, social networks, a task scheduler, see what anyone can theoretically see android developer who will write in the manifest android.permission.READ_EXTERNAL_STORAGE.

The meaning of the article is that many application developers: social. networks, instant messengers, sip telephony clients, daily logs, do not care about the security of their users.

Also popular now: