Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,738,225 Members 53,560 Now Online
XDA Developers Android and Mobile Development Forum

[Exploit] Location Stealing on Samsung smartphones

Tip us?
 
pedrodh
Old
(Last edited by pedrodh; 16th November 2011 at 03:01 AM.) Reason: update apk
#1  
Retired Recognized Developer - OP
Thanks Meter 213
Posts: 190
Join Date: Oct 2009
Exclamation [Exploit] Location Stealing on Samsung smartphones

Edit: Uploaded new APK which is compatible with devices from Android 2.0 and up.

First of all, let me say this: I love Samsung smartphones, I myself own one, the Samsung Galaxy S, and these are great devices. Me sharing this information is only in the will to do good, so that people know how to protect themselves from this exploit and to pressure Samsung in fixing it on future updates.

What my exploit does it to obtain the user location, without the app needing any android permission AT ALL. Usually you could obtain the user location by using permissions such as ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION or even via Internet. The thing is, by using one of those, the user is alerted that that particular app will have access to those permissions on the device, but with my exploit the app is able to get the same info without issuing any of those. Also, this does not rely on having Root permissions on the device, this exploit works on out-of-the box devices.

The reason why this happens is because a certain widget (accurweather widget that comes with the phone) on some modern Samsung phones places the info about the location readable by every app in System Properties, its hidden from the 'naked eye' if you're just looking at the API, but you just have to know its name to get it. So these next 2 lines of code will get you the information used for the exploit (go ahead and compile your own version if you're afraid of my APK):

String value1 = Settings.System.getString(getContentResolver(), "aw_daemon_service_key_city_name");
String value2 = Settings.System.getString(getContentResolver(), "aw_daemon_service_key_detail_info");



The problem is even more serious than I first though, because you only need to have the widget on the launcher once, and that info will remain in the system informations when you remote it from the launcher, even across reboots or even if you clear the widget's data and cache (pretty scary :S). Sometimes (I don't know why exactly yet) the info goes away for good, but only if you don't have this widget on your launcher!

So, what devices does this affect. From my tests, it affect the Galaxy Note and the Samsung Galaxy S II, but it should affect much more new Samsung devices probably, I just didn't test. I have a SGS but since I run cyanogenMod there was no point running it there either (cyanogenmod ftw! :P).

Of course you might be wondering right now, that if you MANUALLY set the place to some strange place on the widget (let's say a remote village in China) what is reported by the exploit will be that place, but it seems to me that most people will be using this on "current location" setting.

So my truly advise is, root the phone and remove the widget for good (needs root because it is a system app). If you don't want to root the phone, then just manually change the place of the widget to something else.

In this thread I leave the simple app that shows you if your device its exploitable, and if so it shows you SOME of the information that could be exploited. As you'll notice during install, no permissions are required, nor the app will at any time ask for root permissions.

Market link to same app: https://market.android.com/details?i...cationstealing
Attached Files
File Type: apk SamsungLocationStealingExploit_1_1.apk - [Click for QR Code] (14.4 KB, 813 views)
Like my work and have bitcoin? Please donate: 152A5eh6QgLXYuNVxhgHtM1XxM8o85RoLL
The Following 15 Users Say Thank You to pedrodh For This Useful Post: [ Click to Expand ]
 
danieldmm
Old
#2  
danieldmm's Avatar
Senior Member
Thanks Meter 1261
Posts: 1,849
Join Date: Dec 2008
Location: France

 
DONATE TO ME
Indeed, very good sharing...
Keep the good work...
Cheers
If you like my work dont say thanks press also Thanks Button...
 
ferreinf
Old
#3  
ferreinf's Avatar
Senior Member
Thanks Meter 334
Posts: 1,785
Join Date: Jun 2010
Fortunately i donīt use TW....
Nexus 5 & Nexus 7 2013 powered by KitKat

AndroidPT.com
Portuguese Android Comunity Team
 
bedwa
Old
#4  
bedwa's Avatar
Recognized Developer
Thanks Meter 648
Posts: 1,116
Join Date: Oct 2008
Location: Springfield IL
"Issue parsing the package" error and does not let me download in the market as I'm on an LG Thrill. I would however like to see if the Thrill/O3D's Accuweather widget is also prone to this issue. Thank you.
Former Devices: HTC Wizard-WM 6.5, OG iPhone, iPhone 3GS, 15+ android devices, including N1, Galaxy Nexus, Galaxy Tab 7.7 and many more.
Current Device: Droid Bionic on AT&T with CM 11 nightly. Rockin GSM style.

Old Project(s)
Resources: Tab 7.7 Kernel/Initramfs
Kernels: Thrillz---Thrillz-GB---Infusion-GB---Infusion (Froyo)
No Odin? Flash a I897/I997 Kernel, Modem or both "zip packages!"
Red Nexus S LWP
LG Optimus Z Launcher

My Git.
My Twitter
Fuel my insanity fund, or click Thanks.
 
Snuble
Old
#5  
Member
Thanks Meter 2
Posts: 69
Join Date: Aug 2010
So would it be enough for Accuweather to be updated (once its patched), or is the problem deeper then that?
 
luminus
Old
#6  
Senior Member
Thanks Meter 15
Posts: 163
Join Date: Aug 2006
Location: Antwerpen
Simple solution for me, just removed it.
Will search for an other weather app.
 
mildlydisturbed
Old
#7  
Senior Member
Thanks Meter 70
Posts: 504
Join Date: Oct 2010
Location: Nashville

 
DONATE TO ME
We have a class action lawsuit against HTC/Accuweather going on over on the HTC EVO side, although our accuweather issue is it's transmitting location unencrypted in plain text to advertisers.

Wonder if this could be modified to work with the Sprint/HTC accuweather
 
GazaIan
Old
#8  
GazaIan's Avatar
Senior Member
Thanks Meter 414
Posts: 1,528
Join Date: Dec 2010
Location: Your basement

 
DONATE TO ME
Quote:
Originally Posted by Snuble View Post
So would it be enough for Accuweather to be updated (once its patched), or is the problem deeper then that?
From what I understand, the data is pulled with no permission or anything only because it's a system app. Remove it and be safe.
Google Nexus 4
LG G Watch
OUYA

HTC Sensation
HTC myTouch 4G
Samsung Galaxy Tab 10.1
 
loopism
Old
#9  
Senior Member
Thanks Meter 12
Posts: 100
Join Date: Apr 2011
I knew I froze the app for a reason! Thanks for sharing your discovery.
 
pedrodh
Old
#10  
Retired Recognized Developer - OP
Thanks Meter 213
Posts: 190
Join Date: Oct 2009
Quote:
Originally Posted by Snuble View Post
So would it be enough for Accuweather to be updated (once its patched), or is the problem deeper then that?
I don't know for sure yet, but I'm guessing it probably could. The thing is, I think accurweather its a modified version for the Samsung phones, so only a ROM itself would carry such update, and we know how long those take :\.
Like my work and have bitcoin? Please donate: 152A5eh6QgLXYuNVxhgHtM1XxM8o85RoLL

Tags
exploit, location, samsung
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Organize Your Cloud Storage Files with Unclouded

Cloud storage services like Dropbox or Google Drive have grown in popularity dramatically … more

XDA Xposed Tuesday: Blur Your System Notification Panel – XDA Developer TV

Listen, we love innovative applications and modules that … more

Android 4.4.3 Begins Rolling Out to European HTC One M8

Shortly after the USA Unlocked and Developer Editions of the HTC One M8 received the … more

Modernize Your Emails with Email Popup

SMS andHangouts messages likely won’t ever replace traditional Emails for more formal … more