Proof-of-concept Android apps are accessing data without asking for permission. The issue was discovered in the CoolIris Android gallery, the stock gallery app used in 2.1-2.3 Android devices.

The "No Permissions" app was created by Paul Brodeur of Leviathan Security Group. Three areas of the phone were found to be accessed without permission.

The first section was the SD card; every app has read-only access, but the proof-of-concept app scanned the card and returned hidden files. Without asking. No security is placed upon files on the SD Card, according to the Android developer documents, where personal information such as photos are stored.

Secondly, the app continues to grab personal information by going to the data/system/packages.list files and scanning each app to determine which store personal information. Brodeur's app returns a list of installed apps and readable files. "[W]hen testing on a real device, I am able to read some files belonging to other apps," Brodeur said in the report.

The third and final action taken by the app is gaining the device's identity. The app grabs the GSM and SIM vendor IDs, the proc/version pseudofile - which reveals the kernel version and a custom ROM, if installed - and the Android ID. The latter is a unique 64-bit number generated when the device is first booted up.

And, while it may appear that none of this data can be transmitted without user interaction, the app was able to open the browser. "[T]he URI ACTION_VIEW Intent opens a browser. By passing data via GET parameters in a URI, the browser will exfiltrate any collected data," the post added.

In The Verge's tests of the CoolIris gallery app, it found similar results. Along with photos, Google e-mail accounts and a list of addresses were found to be harvested by the app. The list of information was inside the cache of com.cooliris.media, though a file called Chunk_0 stored unencrypted information, such as locations of family and holiday destinations.

The "No Permissions" app was created for Android 4.0.3 Ice Cream Sandwich and version 2.3.5 Gingerbread.

(reported by Jonathan Charles, edited by Surojit Chatterjee)