XDA Recognized Developer pedrodh recently identified an exploit in Samsung devices running AccuWeather, and developed an app for demonstration. The app can poll your location without granting any permissions–not even Superuser permissions–using two lines of code.
As a system app, AccuWeather is automatically granted access to your GPS settings. There are two ways to avoid giving away your location. Under the AccuWeather settings you can set your location manually. The developer recommends some remote village in China. Unless, of course, you live in a remote Chinese village. The second way is to gain root access to your Samsung device and remove the widget entirely.
The developer provides those two lines of code if you want to create your own app, or you can use his. Hopefully this demonstration is enough to alert less enthusiastic Samsung users to where they are vulnerable.
Originally posted by pedrodh
The problem is even more serious than I first though, because you only need to have the widget on the launcher once, and that info will remain in the system informations when you remote it from the launcher, even across reboots or even if you clear the widget’s data and cache (pretty scary :S). Sometimes (I don’t know why exactly yet) the info goes away for good, but only if you don’t have this widget on your launcher!
Please see the development thread for more information._________
Join us for xda:devcon 2014. For a limited time, XDA Portal readers get 20% off registration!