z*******n
发帖数: 1034 | 1 By Russell Holly May. 22, 2014 10:00 am
camera
Clever manipulation of Android’s internal rules for using the camera has
revealed that it is possible for apps to use your camera without ever making
you aware that it’s happening, effectively creating situations where a
malicious app could take pictures or video and send them to a remote source.
Digital security has never been a hotter issue than right now, and mobile
security is at the forefront of that discussion. With smartphones capable of
reporting your precise location while we use apps on potentially insecure
networks that do everything from banking to social networking, your
smartphone and tablet are prime examples of how easy it truly is to trade
secure computing for convenience.
We operate under the belief that the creators of the operating systems and
services are doing their best to make sure our data isn’t out there for
anyone to use, but like everything else when it comes to digital security
there’s no such thing as a 100% guarantee. One research project in
particular has discovered that the camera permissions in Android have the
potential to be exploited.
Szymon Sidor recently published a blog post where it is explained in great
detail how the camera permissions on Android can be manipulated to take
photos without the user seeing what is going on. Ideally, the camera should
only take photos when the viewfinder is present on the screen. After all,
you’re unlikely to ignore the camera app just opening on its own and taking
photos right in front of you. The key to making this work is finding a way
to obscure the camera viewfinder somehow, and after several attempts Sidor
figured out that the size of the display could be manipulated all the way
down to 1px.
On a modern Android phone, 1px on a 1080p display at 440ppi is nothing, and
would be next to impossible to see even if your were looking right at it.
Through this manipulation, he found that the app he built could take photos
and email them off the device with the user staring right at the screen and
never know it was happening.
Like all Android permission manipulations of this nature, there’s plenty of
ways to make sure this doesn’t happen on your phone or tablet. The obvious
things are to make sure you have side-loading off on your phone at all
times, and when you install an app from the Play Store pay attention to the
permissions that the app is asking for. If the app has no need for your
camera, it shouldn’t be asking for permission to use your camera. Android
also has a system log that lets you know what background processes are
currently active, and what apps are asking to use them. This is a lot more
technical, but the end result is the same. If you have a simple app
installed, it shouldn’t be asking for background processes.
Ultimately something like this should be fixed by Google, because there are
no legitimate reasons for an app to have a one pixel viewfinder when using
your camera app. This is the kind of thing that can be fixed with relative
ease now that it has been pointed out. |
|
