from the pdf<p>• We designed a pipeline for automatically discovering vulnerabilities in the Android permissions system through
a combination of dynamic and static analysis, in effect
creating a scalable honeypot environment.<p>• We tested our pipeline on more than 88,000 apps and
discovered a number of vulnerabilities, which we responsibly disclosed. These apps were downloaded from the
U.S. Google Play Store and include popular apps from
all categories. We further describe the vulnerabilities in
detail, and measure the degree to which they are in active use, and thus pose a threat to users. We discovered
covert and side channels used in the wild that compromise both users’ location data and persistent identifers.<p>• We discovered companies getting the MAC addresses of
the connected WiFi base stations from the ARP cache.
This can be used as a surrogate for location data. We
found 5 apps exploiting this vulnerability and 5 with the
pertinent code to do so.<p>• We discovered Unity obtaining the device MAC address
using ioctl system calls. The MAC address can be
used to uniquely identify the device. We found 42 apps
exploiting this vulnerability and 12,408 apps with the
pertinent code to do so.<p>• We also discovered that third-party libraries provided
by two Chinese companies—Baidu and Salmonads—
independently make use of the SD card as a covert channel, so that when an app can read the phone’s IMEI, it
stores it for other apps that cannot. We found 159 apps
with the potential to exploit this covert channel and empirically found 13 apps doing so.<p>• We found one app that used picture metadata as a side
channel to access precise location information despite
not holding location permissions.