Android Permissions: Permissively Insecure?
Android, as an operating system, is fairly unique in that it makes users aware of the permissions available to apps in a fairly transparent way. Compared to Blackberry or iOS, which issue granular prompts such as “Can Angry Birds access your location?” or “Can Instagram access your camera to take photos?” There is a somewhat subtle difference here: The rivals give the user a choice about these requests.
Jump over to Android where, after installing an app, it has free reign to use every permission you agreed to. While this doesn’t sound an issue, let’s take a look at the Play Store. Let’s look at a nice, popular app (for better or for worse): Facebook.
The Facebook app has permissions to:
- Create accounts and set passwords for those accounts, and add or remove accounts – this allows Facebook to store its account login using the AccountManager, and is good to see
- access your accurate (GPS) location and network location – this is to allow for geo-tagging of posts and status updates, which some people might want, but others may be very against. More on this later.
- full network access – Google lacks a way to give an app selective internet access, so this is needed, much as it might be nice to limit the remote servers an app can communicate with
- directly call phone numbers – I confess to not researching this one – I am fairly sure Facebook lets you tap a phone icon to call someone. Would it really be so bad to just let you confirm you want to call, and avoid this permission? How long until we see profiles listing premium rate numbers as their phone number?
- read your phone status and identity – This one is a privacy stealer – while allowing an app to tell if a call is active or not, it also is fairly invasive, allowing an app to obtain your phone number, IMEI, IMSI, device ID (etc), and if you are on a call, the phone number you are connected to!
- read to and write from USB storage devices – Perhaps this is for caching of files, but maybe a tad excessive?
- install shortcuts on your homescreen without user interaction – Not sure when this is used, but the permission is there, so it might like to self-promote Facebook services?
- read your detailed battery statistics – As described in the descriptions, this gives low-level battery use data, and can allow the app to find out what other applications you use.
- see what other apps are running – Likely for the Facebook Home feature, again allows Facebook to see what apps are running
- take photos and videos at any time without prompting – Rather concerning, allows the Facebook app to take photos or videos whenever it wants, without prompting or alerting you
- draw over other applications – Likely for the Chat Heads feature of messenger, although why that’s not a permission in the messenger app is a good question
Getting tired and out of breath yet? It’s not over yet though! Facebook can also:
- write to your call log – Why? Just why? This allows for call log erasing and writing
- read from your call log – and thus see all the calls you have made, and when, and for how long, and who they were to
- read your contacts – while useful if you sync Facebook contacts, many people don’t want Facebook to have full reign over their contacts
- write to your contacts – pretty much as above
What is perhaps most disconcerting is that while Google acknowledges openly the risks in each permission (I suggest you take a read at the detailed description of some of the permissions on a Play Store listing), the company takes no steps to help you with this. Thus, the entire Android ecosystem is built around you trusting the developer to play fair, and not do anything dodgy.
And while I might be unique in my recommendation (which I firmly believe is warranted in this day and age given recent information revealing the extent of mass surveillance that is ongoing) to trust nobody, not even yourself. For this reason, I suggest the Android permissions system is totally flawed, in relying on developers to not abuse permissions, and not request excessive permissions. How many torch apps on Android have more than the required camera permission (to enable the camera)? I’d suggest most do, feel free to take a look!
You’d think the Android community would rally against such behaviou, but it’s reached a point where it is acceptable for developers to declare a need for excessively gratuitous permissions in order to use their apps. What happened to user choice? I then was pointed towards this post on G+ by Steve Kondik (XDA Recognized Developer cyanogen), which I read with much dismay. While I do not use G+ (closed platform, requiring far too much data to be disclosed to Google), I would suggest that with respect, the need for user privacy and security MUST come first, as it’s clear app developers cannot “do” security.
Perhaps if Google introduced zero tolerance for moronic errors in security (plaintext passwords, gathering contacts data, obtaining device IDs that are not hashed suitably with a cryptographic hash etc), it might offer an incentive to consider security? Given many users (wrongly) reuse passwords between services, the sending of plaintext passwords should be sufficient, in this author’s opinion, to justify immediate removal of all of a developer’s apps from the Play Store, forever.
Some people just don’t know how to do security. And for them, I sigh. Users deserve security, and privacy, and unless you go ahead and look at the OpenPDroid project on XDA (which I strongly suggest you check out), you are pretty much being abandoned by even the leader of CyanogenMod. While I appreciate his concerns for app developers, it is simply inexcusable to not look into fixing the glaring hole that is contacts access. This is 2013, the era of social engineering, and I cannot choose selectively which apps see which contacts in my address book? REALLY?
Something needs to happen here, before people wake up and smell the coffee, and realize this isn’t sustainable. It’s time users became more aware about what apps are doing, and the extent of data mining that is ongoing. It’s your data, and it should be entirely your choice who gets it.
You shouldn’t have to avoid an app because you don’t like the look of its permissions; you should be able to (whether as stock Google feature, or custom ROM feature) be able to selectively decline to allow an app to access your data. And this should be done gracefully, either providing empty data (for contacts, or similar), or null data (i.e. requesting phone number or IMEI should return the same response as a tablet lacking these identifiers).
Is it right to deny your users the choice, to make life “easier” for app developers? (arguably to allow them to capture user data more easily) I argue it’s not, and it’s time the Android community unites to put an end to apps having free reign over YOUR data. If this concerns you, why not check out the aforementioned OpenPDroid (and similar) projects on XDA, and see if you can help out, or test, or contribute to the cause?