LateX

Thursday, May 22, 2014

Exploring limits of covert data collection on Android: apps can take photos with your phone without you knowing.

SHORT VERSION: Android apps can take photos with your phone in background phones without displaying any notification and you won't see the app on the list of installed applications. App can send the photos over the internet to their private server. You can also find video with demo in this post.

Introduction

http://all-free-download.com/free-vector/vector-clip-art/surveillance_camera_clip_art_18240.html (camera)

I discovered this almost by accident while doing a team project for a Computer and Network Security course at my university. The project suggested by college of mine (Predrag Gruevski) was mostly about using cameras on PC's without turning on indicator light. There were already promising findings in this field (iSeeYou paper discussed doing so on old Mac models). Since the project was relatively general each of member of our team took different approach. I initially started with low-level USB hacking, but despite genuine efforts I found nothing really interesting. Further experiments seemed really boring to me, because they in general involved trying various different cameras and hours of starting at LED light hoping the camera light won't blink.

android


I switched my focus to Android. Initial research was promising. There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police TapeMobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on. Some of them manage to record video without visible preview. 


Technical Details

What I wanted is to take pictures without user knowing, but at any time, not only when the app is on. I started googling and first thing that I found is that using Camera technically requires a preview to be displayed on screen in order to take video, but background services do not have associated visible activity. But let's not get discouraged an keep trying. I wrote a small camera app for my Nexus 5. My first approach was to create a View object that is not attached to any activity and feed preview to that object. That fails (I literally get "take picture failed" exception). The I remembered something that later turned out to be very relevant. Facebook messages draws to the UI, even when the app is not technically running:


This turned out to be indeed the right track. I attached preview to the screen from the background service and indeed I was able to take a photo! This is not yet ideal - the preview is visible on the screen user can clearly see that something is going on. But then I tried to remove it. Here's a list of approaches:

  • Make preview invisible - failed: Android just ignores this setting for preview
  • Make preview transparent - failed: Android just ignores this settings for preview
  • Cover preview by another view - partially failed: the view on top is still obstructing the screen
  • Make preview 1x1 pixel - successful
The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there. 


Demo


If you cannot see this video here's a direct link: https://www.youtube.com/watch?v=sDzs6y4JVok

How can you protect yourself form malicious apps?


If you are as disturbed by this find as I am you will start asking what can we do to avoid such situations. The bad news is that it's kind of a cat and mouse game - no matter how hard you try attackers can find more ways to obfuscate malicious activity. The good news is there are some ways that seem (at least given my current knowledge hard to circumvent:

  1. Pay attention to permissions (for example does Simple Notepad* really need access to your camera?)
    lock
  2. Keep your Google Account secure - if somebody can access your Google account they can install apps on your phone remotely without you approving it! Set up two step verification. Change your password from time to time. Set up secure password
  3. Uninstall unused apps. 

    battery                    internet
  4. High battery consumption (settings -> battery), and high bandwidth (settings -> data usage) are potential culprits


  5. Look at the background services that are running (settings -> apps -> running) - does Simple Notepad* really require background service
  6. Swiping app out of application list does not switch off background services (if you want to completely switch it off go to App Info (long press app icon inside menu and drag it to app info section) and click force stop - this ensures no background services are running. As @LB points out "force stop" effect is not permanent (technical: The service can be started again by registering and receiving an intent). 
*Simple Notepad is a made up example - I am not referring to any app in particular.


(hopefully constructive) criticism of Android design decisions

Let me start by the fact that I really like Android SDK (maybe except the fact that it's Java - but I understand the logic behind that decision). It's nice because it gives a developer a lot of power. There are just some things that are possible on Android that simply would not be possible on other platforms.

However given the fact that privacy is recently more and more of a growing concern, it would be nice to adjust accordingly. In my opinion privacy can be achieved by transparency without sacrificing comport. I could imagine use cases where I want app to take photos from background service. But I think it's inexcusable that user is not notified about this face. Android has a very nice notification bar. Users are very used to it. Why not make a use of it here. Same goes for sounds recording location recording etc.

Another thing I think Android team should look into is modern security research. There's lot of ways of using data without direct access. Very simple example would be that can send emails to users without learning their email address - with Google acting as a intermediary.

All of those suggestions can be summarized in on sentence - please put more effort into ensuring users' privacy. 


25 comments:

  1. Great research Szymon! Willing to look deeper into the code and/or implementations, cheers from México!

    ReplyDelete
    Replies
    1. I am still unsure if I should publish the code...

      Delete
    2. I wouldn't do that. It's creepy enough to know that it works.

      Delete
    3. For me, this is not a bug. It's a feature. There are many tutorials on how to get camera pictures without displaying the preview, por example: http://cell0907.blogspot.com.es/2014/01/android-camera-capture-without.html (For more examples or different ways of doing it, just Google: android take picture without preview)

      Delete
  2. Yep. Hold the code close. No need to feed the CopyKidlets. I'm sure there will be similar exploit code out there but hopefully the holders of such code will be much smaller.

    ReplyDelete
  3. Hi Szymon, Thanks for sharing this Issue! actually I've just developed an app from 1 month ago can do the same functionality. It's a big security Issue, Do you think we can contact Google ?
    Happy to be in contact with you by anyway.

    Regards,
    Ibrahim

    ReplyDelete
    Replies
    1. I can send you an apk to insure that ?

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Hey! I actually already emailed security@andorid.com.

      btw. I also understand that there are more people that were aware of this (I am not surprised actually - it's not that hard to find) - sorry for taking all the credit for this. If you want, email me and I can link to your project in my post.

      Delete
    4. Thanks so much for your words Szymon ! Actually I emailed security@andorid.com after I post my comment here. I was wanted to help you to save user's privacy. my project is under construction not published yet. by anyway I will be happy to be in contact with your honor.

      Delete
  4. Cerberus does exactly this and I want it to do that since this is an app that can allow me to track my phone if it gets stolen. So while I understand this is a problem if an app like this gets on your phone without your knowledge, it's necessary for other apps. If Android were to perform this action natively through Android Device Manager, I would be more open to removing this capability. But not until then.

    ReplyDelete
  5. You can redirect the preview to an OpenGL texture (texture surface). This is very handy if you want to display effects instantly during the preview. However, this seems to be more handy to achieve what you want: just don't display the texture at all.

    ReplyDelete
  6. You may find that Office Anti-Spy can stop anyone from taking control both of an Android phone's cameras, microphones and recording capability. Check out www.officeantispy.com

    ReplyDelete
  7. Congratulations on rediscovering the most widely used method for utilizing CV in android! :p

    The standard Android Camera API is quite bad, so we remove the standard preview and process the raw camera data ourselves to bypass it, works far better.

    It is of no security concern as long as you actually read the permissions for a app before you install it.

    Example:
    http://stackoverflow.com/questions/9744790/android-possible-to-camera-capture-without-a-preview

    And here is a app i did a year ago using this:
    https://www.youtube.com/watch?v=zOe-DgoznMA

    Cheers!

    ReplyDelete
  8. Some things about your technique :
    1. since there is no notification, your service runs on the background, so it can easily be closed when there aren't a lot of system resources (try playing a game, for example).
    2. I think that you can even avoid having the pixel from being shown, by setting the margin value of the layoutParams of the window of it to be outside of the screen.
    I assume you did the on-top camera preview by using another permission called "SYSTEM_ALERT_WINDOW" which allows to draw on top of all windows.
    3. This is not quite a security bug. It's something the user knows he has confirmed when he installed the app.
    In fact, this is a feature some security apps have (like taking a photo of the thief when he opens the device).
    The user isn't aware of many things the apps do in the background.
    4. force-stop only stops an app temporarily. it can wake itself using outside intents (like calls).
    you need to either disable it or uninstall it.

    ReplyDelete
    Replies
    1. Hi LB,

      Those are all good remarks. In particular nr 4 is important remark that I think people should be aware of - I incorporated it into post body.

      Thanks,
      Szymon

      Delete
  9. Did you do that on purpose?

    "Simple Notepad" is the fake app name used by "Mobile Hidden Camera ", an app designed to let people use their phones to take photos and videos in public surreptitiously. Been on play Store for quite a while.

    If it wasn't on purpose it's a heck of a coinkydink.

    ReplyDelete
  10. Awesome job man, ive talked about your job on my web. Cheers!

    ReplyDelete
  11. hehehe u look like ERLICH BACHMANN “El Peludo”/”The J-2000: Steve Jobs 2.0” nice work with that code i hope u can give a copy just to learn a bit more

    ReplyDelete
  12. Great job men it was amazing...

    ReplyDelete
  13. Having made a torch app (torch activation requires camera on), I can confirm that you can hide the view completely by adding a negative margin to the SurfaceView

    ReplyDelete
  14. Hi Szymon,
    so if the more technologycal are getting the phons ( and tablets) the more concerned you should be about security failures. Because there always will be a way to cheat on the rules without breaking them ( like the 1x1 pixel preview ).
    It would be great if , nowadays, turning off our phones really mean any app will continue running.
    Great job.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete