Thursday, March 13, 2014

Steal user data without Internet

Yesterday I happened to download an Android app which did not ask for ANY additional permission to install.My first impression was that this app would not have any advertisements and would be able to steal any of my information.Then,I thought how awesome would it be if an App with no additional permissions could actually steal the user information. So, I used the oldest trick in the book and here is the result

I created a password manager which does not require any additional permissions,giving an impression that all the data remains stored locally.Now at the bottom of the list of accounts is a terms and conditions link which opens in a browser which does not require the permission to use the internet. As you might have already guessed, the URL which opens contains some additional GET parameters which of-course is the username and passwords.

Link to the code block

I have just uploaded this app to play-store, and if it is approved, would be available at

1. I have not added any information yet about this hack on the playstore listing , to get through the approval process.
2. I am not saving the data sent in GET requests because my purpose has been to demonstrate the hack and not to steal information.