Security firm Leviathan Security has discovered that apps with no permissions to access system resources are still able to view sensitive data without the user's knowledge. Worse yet, through a few extra steps, a malicious app might be able to get that data off of the device using the Web browser.

According to Leviathan Security, at least three types of information can be accessed by any app, regardless of its permissions. These types of info include files on external storage, files stored by individual apps, and device information.

Android allows any app to read all files on external storage by default. This might sound harmless, but Leviathan researcher Paul Brodeur has discovered that some apps store sensitive data--such as --to the device's SD card.

Apps can also fetch a list of installed applications on the device, and, from there, scan for files associated with those apps. iOS developers have recently come under fire for failing to secure data--Facebook, Dropbox and others have been found to be --and there are likely many Android apps with equally poor security.

Finally, Brodeur discovered that all apps could access basic device information. While an app is not able to read a device's unique identification number without the correct permissions, other identifiable information is easily accessible.