This is Just Metadata: From No Communication Content to User Profiling, Surveillance and Exploitation

Abstract

Mobile devices have become an indispensable part of our daily lives. Practically, most of our everyday communication is performed through mobile devices which host third party apps and provide for various means of interaction with diverse levels of security. Android is by far the most widely used mobile operating system, with a user base in the scale of billions. However, while Android Open Source Project (AOSP) is paving the way for all manufacturers, Android market is so fragmented that those who are using the latest version are only a small minority. Moreover, Android comes in several flavours as manufacturers tailor it to their needs. However, this tailoring often prevents users from getting the latest updates. In fact, as we show, manufacturers may not follow the security and privacy guidelines of AOSP, exposing their users to unexpected threats. In this work we study a yet unpatched vulnerability by most major manufacturers, and partially fixed in AOSP, which allows for an adversary to extract important information from the victim’s device. To this end, we showcase that unprivileged apps, without actually using any permissions, can harvest a considerable amount of valuable user information. This is achieved by monitoring and exploiting the file and folder metadata of the most well-known messaging apps in Android, which have been hitherto considered secure, deriving thereby usage statistics in order to elicit user profiles, social connections, credentials or other sensitive information.