Researchers from North Carolina State University have determined that skinned versions of Android may expose private data to any app that makes a request — and all without asking for user permission.

The research team tested handsets from HTC, Motorola and Samsung, along with the vanilla, non-skinned Nexus handsets from Google, and found that the skinned versions of Android introduce vulnerabilities. Depending on the handset, installed apps were able to access location data, make phone calls, use the camera, delete packages, reboot the phone, send text messages and record audio.

The researchers blame security holes introduced by the third-party OS layers. These holes allow apps to gain permissions for various services, exploiting pre-loaded apps as go-betweens. Google’s own Nexus One and Nexus S smartphones allowed just one of the tested exploits: deleting packages.

A third-party app should never be allowed such deep, system-level access without prior user approval. In a perfect world, when a user installs an app in an Android phone, he or she will be asked to grant that app access to various kinds of data and services — text messages, the phone’s camera, making calls, and so on. This model is designed to provide security against Android’s ability to run any and every app, wherever it may come from.

The university paper, by Michael Grace, Yajin Zhou, Zhi Wang and Xuxian Jiang, is available for download as a PDF. Take a gander to see how the weaknesses were discovered. In light of the the current Carrier IQ debacle, all smartphone users would be wise to pay a bit more attention to the security of their mobile hardware.

Systematic Detection of Capability Leaks in Stock Android Smartphones [North Carolina State University]

Android glitch allows hackers to bug phone calls [Register]