Android security nuts, get your tin foil hats ready. A security researcher at Leviathan Security Group has posted a proof of concept application that can steal massive amounts of personal data when installed on an Android phone or tablet. No big deal, right? We've known about this sort of thing for ages. Except that Paul Brodeur's app can grab a shocking amount of data with zero Android system permissions, something that isn't supposed to be possible. The security loopholes exist in both Gingerbread and Ice Cream Sandwich, and can be presumed for other versions of Android as well.
There are three calls that the app makes without requiring access to any protected Android functions: access data on the SD card (or internal storage if the device has no SD card slot), see a list of installed apps, and access a restricted set of unique information tied to the phone. The SD card function can see and read any file in storage that isn't marked as hidden or encrypted - just as an example, the photos taken from the device's camera. The app identification function isn't that distressing in and of itself, but it can also see all the files used by the app. It also could be useful in identifying vulnerable apps - Adobe seems to produce a lot of these.
The last function can't identify the crucial MEID or IMEI number of an individual phone, but it can see the identity of the SIM card and its connected cellular network. It can also read the version of Android, the kernel and the software release - i.e., which OTA update or custom ROM you're using. Using some pretty clever programming, the app can launch a browser window and start transmitting data to a remote server, all without permission to access the Internet.
None of these functions have been observed in malicious apps, so don't panic. But the fact that all this is possible without using a single one of Android's permissions, the system by which users are supposed to be protected, is distressing. Hopefully Google is paying attention, and will address these issues in an update. Soon.