Pulser_G2 · Jun 8, 2013 at 05:00 pm

Android Permissions: Permissively Insecure?

Android, as an operating system, is fairly unique in that it makes users aware of the permissions available to apps in a fairly transparent way. Compared to Blackberry or iOS, which issue granular prompts such as “Can Angry Birds access your location?” or “Can Instagram access your camera to take photos?” There is a somewhat subtle difference here: The rivals give the user a choice about these requests.

Jump over to Android where, after installing an app, it has free reign to use every permission you agreed to. While this doesn’t sound an issue, let’s take a look at the Play Store. Let’s look at a nice, popular app (for better or for worse): Facebook.

The Facebook app has permissions to:

  • Create accounts and set passwords for those accounts, and add or remove accounts – this allows Facebook to store its account login using the AccountManager, and is good to see
  • access your accurate (GPS) location and network location – this is to allow for geo-tagging of posts and status updates, which some people might want, but others may be very against. More on this later.
  • full network access – Google lacks a way to give an app selective internet access, so this is needed, much as it might be nice to limit the remote servers an app can communicate with
  • directly call phone numbers – I confess to not researching this one – I am fairly sure Facebook lets you tap a phone icon to call someone. Would it really be so bad to just let you confirm you want to call, and avoid this permission? How long until we see profiles listing premium rate numbers as their phone number?
  • read your phone status and identity – This one is a privacy stealer – while allowing an app to tell if a call is active or not, it also is fairly invasive, allowing an app to obtain your phone number, IMEI, IMSI, device ID (etc), and if you are on a call, the phone number you are connected to!
  • read to and write from USB storage devices – Perhaps this is for caching of files, but maybe a tad excessive?
  • install shortcuts on your homescreen without user interaction – Not sure when this is used, but the permission is there, so it might like to self-promote Facebook services?
  • read your detailed battery statistics – As described in the descriptions, this gives low-level battery use data, and can allow the app to find out what other applications you use.
  • see what other apps are running – Likely for the Facebook Home feature, again allows Facebook to see what apps are running
  • take photos and videos at any time without prompting – Rather concerning, allows the Facebook app to take photos or videos whenever it wants, without prompting or alerting you
  • draw over other applications – Likely for the Chat Heads feature of messenger, although why that’s not a permission in the messenger app is a good question

Getting tired and out of breath yet? It’s not over yet though! Facebook can also:

  • write to your call log – Why? Just why? This allows for call log erasing and writing
  • read from your call log – and thus see all the calls you have made, and when, and for how long, and who they were to
  • read your contacts – while useful if you sync Facebook contacts, many people  don’t want Facebook to have full reign over their contacts
  • write to your contacts – pretty much as above

What is perhaps most disconcerting is that while Google acknowledges openly the risks in each permission (I suggest you take a read at the detailed description of some of the permissions on a Play Store listing), the company takes no steps to help you with this. Thus, the entire Android ecosystem is built around you trusting the developer to play fair, and not do anything dodgy.

Unfortunately. This. Doesn’t. Happen. It really seems clear that many app developers just DO NOT UNDERSTAND SECURITY. Full stop.

And while I might be unique in my recommendation (which I firmly believe is warranted in this day and age given recent information revealing the extent of mass surveillance that is ongoing) to trust nobody, not even yourself. For this reason, I suggest the Android permissions system is totally flawed, in relying on developers to not abuse permissions, and not request excessive permissions. How many torch apps on Android have more than the required camera permission (to enable the camera)? I’d suggest most do, feel free to take a look!

You’d think the Android community would rally against such behaviou, but it’s reached a point where it is acceptable for developers to declare a need for excessively gratuitous permissions in order to use their apps. What happened to user choice? I then was pointed towards this post on G+ by Steve Kondik (XDA Recognized Developer cyanogen), which I read with much dismay. While I do not use G+ (closed platform, requiring far too much data to be disclosed to Google), I would suggest that with respect, the need for user privacy and security MUST come first, as it’s clear app developers cannot “do” security.

Perhaps if Google introduced zero tolerance for moronic errors in security (plaintext passwords, gathering contacts data, obtaining device IDs that are not hashed suitably with a cryptographic hash etc), it might offer an incentive to consider security? Given many users (wrongly) reuse passwords between services, the sending of plaintext passwords should be sufficient, in this author’s opinion, to justify immediate removal of all of a developer’s apps from the Play Store, forever.

Some people just don’t know how to do security. And for them, I sigh. Users deserve security, and privacy, and unless you go ahead and look at the OpenPDroid project on XDA (which I strongly suggest you check out), you are pretty much being abandoned by even the leader of CyanogenMod. While I appreciate his concerns for app developers, it is simply inexcusable to not look into fixing the glaring hole that is contacts access. This is 2013, the era of social engineering, and I cannot choose selectively which apps see which contacts in my address book? REALLY?

Something needs to happen here, before people wake up and smell the coffee, and realize this isn’t sustainable. It’s time users became more aware about what apps are doing, and the extent of data mining that is ongoing. It’s your data, and it should be entirely your choice who gets it.

You shouldn’t have to avoid an app because you don’t like the look of its permissions; you should be able to (whether as stock Google feature, or custom ROM feature) be able to selectively decline to allow an app to access your data. And this should be done gracefully, either providing empty data (for contacts, or similar), or null data (i.e. requesting phone number or IMEI should return the same response as a tablet lacking these identifiers).

Is it right to deny your users the choice, to make life “easier” for app developers? (arguably to allow them to capture user data more easily) I argue it’s not, and it’s time the Android community unites to put an end to apps having free reign over YOUR data. If this concerns you, why not check out the aforementioned OpenPDroid (and similar) projects on XDA, and see if you can help out, or test, or contribute to the cause?


_________
Want something on the XDA Portal? Send us a tip!

Pulser_G2

Pulser_G2 is an editor on XDA-Developers, the largest community for Android users. Developer Admin at xda-developers, interested in everything in mobile and security. A developer and engineer, who would re-write everything in C or Assembler if the time was there. View Pulser_G2's posts and articles here.
Eric Hulse · Jul 7, 2015 at 05:59 pm · 2 comments

T-Mobile Galaxy S6 Battery Woes

I've been using a T-Mobile Galaxy S6 since the device launched with T-mobile's service. However, over this past holiday weekend I knew I would be in an area without reliable T-Mobile service. So, I opened up T-Mobile's default "Device Unlock" app , pressed unlock, and placed my AT&T SIM card in the device. Everything seemed to be working fine: strong signal, great LTE, good voice calls - until day 3. On Sunday, my Galaxy S6 felt very hot to the touch and...

XDA NEWS
Brian Young · Jul 7, 2015 at 12:26 pm · 3 comments

Earthquake Early Warning in Your Pocket

Probably all of us reading this have a smartphone in our pocket. For many of us, the smartphone has become our primary method of reading and writing e-mails, messaging, and browsing the web. Though proclamations that "smartphones have replaced the personal computer" typically fall on deaf ears, the statements aren't without merit. Indeed, smartphones have "replaced"—or more accurately, "displaced"—PC's in several areas that they have traditionally been dominant. But how many of you look into your pocket, or on your desk, and...

XDA NEWS
Aamir Siddiqui · Jul 7, 2015 at 10:39 am · 2 comments

Sony: The OEM You Want To Save

In our recent Discuss article, we asked you readers on which OEM you would like to help. While the answers we received were varied, a lot of these responses and top comments stood out for helping one OEM: Sony. Some excerpts from our discussion are as below: And many more follow suit. Needless to say, many believe that Sony Mobile as a company is great and is worth saving. And all of these would be happy to hear that Sony will...

XDA NEWS
Share This