A zero-permission Android app can infer a user's secrets by accessing public resources normally accessible without permissions. The app can determine a user's location by matching the phone's WiFi BSSIDs to databases of location-tagged BSSIDs. It can identify when a user is driving by comparing speaker usage to a navigation app database. It can also identify a user's Twitter account by matching timestamps of the app sending tweets to the user's public tweets found through Twitter's API. Many other secrets are exposed through similar means without the need for special permissions.

1. Inferring Your Secrets from Android Public
Resources
Authors of this paper:
Xiaoyong Zhou1, Soteris Demetriou2, Dongjing He2, Muhammad Naveed2,
Xiaorui Pan1, XiaoFeng Wang1, Carl A. Gunter2, Klara Nahrstedt
Tao Sun

2. Who has an Android phone?
When install Android app, you will choose permissions
But what about a zero-permission app?
Could get our secret information?
YES!

3. Find where you are
How to get location information normally?
> Android guards such information with a permission ACCESS_FINE_LOCATION
> Websites that attempt to get it through a mobile browser
(using navigator.geolocation.getCurrentPosition), which is designed to ask for
user’s permission when this happens.
If the app do not have these two permits?
> Yes, we can use wifi BSSID

4. BSSID To Location
• The BSSID of a Wi-Fi hotspot and signal levels perceived
by the phone are disclosed by Android through procfs.
• The BSSID (in the /proc/net/arp file), which is essentially
the gateway’s MAC address, and wireless signal levels (in
the /proc/net/wireless file). Both files are accessible to a
zero-permission app.
• Google, Skyhook and Navizon has a BSSID database.
• Build a request use its app’s protocol and can get the
location Information.

5. Knowing where you go
• Speaker usage information is public
• Consider a GPS navigation app one uses when she is
driving.
• We can get the Audio status log and compare them with the
log in the database.
How to avoid it?
Listen to music…

6. Get Your Identity
Information leaks from public data usage statics
Here are two public files
/proc/uid_stat/[uid]/tcp_rcv
/proc/uid_stat/[uid]/tcp_snd,
which record the total numbers of bytes received and sent by a specific app
Respectively.

7. Your twitter leaks your id information
• A zero-permission app monitors the mobile data usage
count tcp_snd of the Twitter 3.6.0 app when it is running.
• When the user send tweets to the Twitter server, the app
detects this event and send its timestamp to the malicious
server stealthily.
• This gives us the account’s owner posts her tweets at the
moments recorded by these timestamps.
• Given a few of timestamps, we can uniquely identify that
user.

8. Your twitter leaks your id information
• From the tweeting events detected, we obtain a sequence
of timestamps T = [t1; t2; ; tn] that describe when the
phone user tweets. This sequence is then used to find out
the user’s Twitter ID from the public index of tweets. Such
an index can be accessed through the Twitter Search API.
• To collect relevant tweets, we need to get the phone’s geolocation, which is specified by a triplet (latitude, longitude,
radius) in the twitter search API. Here all we need is a
coarse location (at city level) to set these parameters.

9. Identity, Location, Disease and More: Inferring Your
Secrets from Android Public Resources
THANK YOU!