Uncovering Android Sensor Types, Permissions, and Hidden Security Vulnerabilities

1.1 Android Sensor Types

Modern smartphones embed numerous hardware sensors such as accelerometers, gravity sensors, light sensors, proximity sensors, gyroscopes, barometers, temperature, humidity, magnetic field, and more. Sensors enable apps to detect user motion, device orientation, ambient light, distance to the user, and environmental conditions, improving user experience and enabling richer applications.

Hardware sensors directly measure physical properties, while software (virtual) sensors combine data from multiple hardware sources to provide higher‑level information like linear acceleration or gravity.

1.2 Android Sensor Architecture and Usage

Apps obtain a SensorManager instance, retrieve a Sensor object (e.g., accelerometer), and register a SensorEventListener to receive callbacks when sensor values or accuracy change. The framework also offers a sampling‑rate control interface for high‑frequency data collection.

Typical usage steps:

Get SensorManager object.

Obtain the desired Sensor (e.g., accelerometer).

Create and register a custom SensorEventListener.

Unregister the listener when no longer needed.

2.1 Memory‑type Vulnerabilities

CVE‑2021‑0318 is a use‑after‑free (UAF) bug in SensorEventConnection.cpp. The SensorEventConnection allocates a cache buffer ( mEventCache) on the heap. After the connection is destroyed, the buffer is freed, but later code still reads and writes the freed memory, creating a heap corruption that can be exploited for privilege escalation.

2.2 Logic‑type Vulnerabilities

CVE‑2023‑21034 bypasses permission checks for ACTIVITY_RECOGNITION and HIGH_SAMPLING_RATE_SENSORS. The flaw resides in isRateCappedBasedOnPermission() and canAccessSensor(), which rely on the app’s target SDK version. A stale cache ( sPackageTargetVersion) can retain an old, lower SDK version after an app upgrade, allowing the app to evade new permission requirements.

2.3 Side‑channel Attacks

Researchers have demonstrated that the built‑in accelerometer can capture acoustic vibrations from the speaker, enabling speech eavesdropping. By collecting high‑frequency accelerometer data and applying deep‑learning models, attackers can reconstruct spoken words, especially when the sensor’s sampling rate exceeds 200 Hz. Android 12 limits sensor sampling rates to mitigate this risk, but the threat remains for apps that obtain the HIGH_SAMPLING_RATE_SENSORS permission.

Conclusion

The article provides an overview of common Android sensor types, their usage, related permissions, and analyzes several representative security vulnerabilities, including memory‑type, logic‑type, and side‑channel attacks. While Google continues to strengthen sensor security, the growing variety of sensors and their easy accessibility ensure they remain a focal point for both security researchers and malicious actors.