Pulser_G2 · Jun 10, 2014 at 05:30 am

Play Store Permissions Change Opens Door to Rogue Apps

XDA is normally about the latest and greatest. Whether we’re talking about the latest firmware revision or device, most people in the Android tech community favor being on the bleeding edge. Sometimes, however, the latest isn’t necessarily the greatest or the best way forward. As we recently covered here on the XDA Portal, Google released a new version of the Play Store, which among other things, allows the use of PayPal to purchase apps and simplifies the permissions interface shown to users.

Under this happy facade, however, is a somewhat more sinister change. The permissions system in Android, which has protected users since Android hit consumer devices in 2008, was significantly (and fairly quietly) watered down by Google in this Play Store update. Previously, when an application update requested additional permissions, users would be notified and have to accept the change before updating. This continued when automatic updates were introduced, as applications with permission changes would require a manual update and approval of the new permissions.

This system worked fairly well. If an app changed its permission needs, you’d be notified, and could choose whether to accept the update. With the most recent Play Store update, however, users are not told about certain permission changes if they don’t result in the addition of permissions to a new group. Given the sheer breadth of permissions a group now covers, this effectively leaves Android with only 13 permissions. An application can quietly update itself in future, to grant itself access to further permissions within a group, with the user left none the wiser.

Once an app is granted an individual permission within a group, that application has the ability to add any other permissions from the group in a future update, without users being notified of the change. To quote Google:

You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted.

For example, contacts and calendar permissions are now grouped into one. An app with the ability to read your contacts could, without you receiving clear and prominent notices, add calendar permissions to the group. This would allow the application full access to snoop through your calendar, and even send Emails to calendar appointment guests, without your consent.

Likewise, the “Phone” permissions group allows access to directly call phone numbers, which is useful in a variety of different contexts. However, it also contains permissions to read and write call logs, reroute your outgoing calls to different destinations, and make calls without your intervention.

Google also made the decision that users shouldn’t necessarily be aware if applications have access to the Internet, so this permission is now hidden under “other,” meaning that by default, users won’t see it. Their rationale is that most apps use Internet access, and therefore users don’t need to know. Funnily enough, one of the best ways to actually protect your privacy is to prevent apps from communicating with the Internet. After all, if an app cannot send home the data it gathers about you, you are quite well protected. Obviously there’s more than one way to skin a cat, but if users want to be safe, they need to have information about whether or not an application uses the Internet. Thus, Internet access to apps should not be a given, in this day and age of privacy concerns. This shows that Google is out of touch with user privacy, once again.

So what can we do about this? For now, the best thing to do is ensure you disable automatic updates for apps, and carefully and diligently review the permissions requested by expanding all of the categories. You could also consider using an app that lists the individual permissions used by each application.

Redditor iamtubeman posted a thread where he talks about this further, and demonstrates just how an application with a tiny number of permissions could be used as a gateway into your device with an updated version with much more intrusive permissions. For example, he created an application using:


This was able to be updated to allow the following additional permissions, none of which the user would be explicitly warned about.


And there you have it. Your app with fairly standard permissions could now (after a small update that says nothing about the permissions)  monitor and store your browsing habits, indexed by your IMEI number. Meanwhile, you would be getting tracked by GPS in real time, with your location data being constantly uploaded. The SMS messages you send and receive would also be getting scanned and monitored, and their contents indexed, along with all your documents and files on your SD card, including your photos (to try and find photos of yourself). Then once those compromising holiday snaps have been located and your intimate browsing history has been extracted, your device could be wiped. You could then be contacted by SMS, demanding money, otherwise your browsing history would be sent to your boss, along with your compromising holiday snaps.

This is not some sci-fi film plot, or storyline from Watch Dogs; this is something that could be done today, on your phone, without you even knowing about it. I believe there is a need for Google to take action quickly to not only reverse this change, but head in the other direction and make users much more aware of what is happening on their phones.

How can we fix this?

It’s easy for writers to criticize and complain, but few offer their own solutions. So here goes, with how I would solve this problem. First, Google is going in the wrong direction with regards to privacy. Apple, the epitome of simplicity and having decisions made for you, introduced a number of good privacy features in iOS 8. Being a closed source operating system, however, these changes are of no use to the tweaking community. However, it does show that the market is heading towards enhanced privacy. To that end, iOS 8 will use random MAC addresses when scanning for WiFi networks, in order to help prevent tracking of individuals around shopping malls and other public locations that try to identify users based on their phone WiFi signals.

Having ascertained that the market needs to move towards greater user control (with iOS 8 again adding a specific warning when a keyboard application tries to access the Internet in order to prevent keyloggers), I think it’s time to define some better categories, with clearer warnings of the risks they pose to when their constituent permissions granted. In an ideal world, you would be able to grant these permissions in real time, and be able to deny access to permissions:

  • Your Identity – These permissions allow apps to identify you or your device uniquely, and could be used to track you. You should avoid giving these permissions to apps you do not trust entirely, as they can identify you uniquely, either by name and email address, or by your device’s serial numbers.
  • Your Data – These permissions allow applications to access data you hold on the phone. This may include your photographs, videos or documents you have stored on your device. You should only grant these permissions to apps you trust
  • Your Communications – These permissions allow applications to see who you communicate with, and the contents of messages, as well as to make communications of its own. You should only grant these permissions to apps you trust to not steal or sell your private information
  • Your Surroundings – These permissions grant applications to record audio and video from your device camera and microphone. You should be cautious of applications which use these permissions, as they can listen to you without your knowledge, or take photographs/videos of you or your surroundings without your knowledge
  • Your Location – These permissions allow applications to access your geographical location with various degrees of precision. You should not grant this permission unless you trust that the app cannot share this information with other people. Accurate location data can identify where your house or workplace is, or indeed where in a particular street you are located, and should be treated with extreme caution.
  • The Internet – Applications using this permission have access to the internet. You should not grant this permission unless an application isn’t gathering other personal information from your device via permissions, as it could share the data it gathered with other people or services.

And there you have it—much more transparent categories that inform users of the true risks to their privacy by allowing such permissions. I would place a lot of money on app developers hating this. And if they did, I’d feel as if I did my job right. This would mean that users were taking back control of their devices and their data. Nobody in their right mind would install a torch application if it required access to “identify you or your device uniquely,” with some properly written warnings that make users aware of just what is possible with the data on offer.

I’d suggest you take a look at iamtubeman’s reddit thread, as it shows just how much he was able to do in his own testing thanks to this change, which he believes to be “very very stupid.” It also affects all Android users who install applications through Google Play. From having looked at it myself, I must concur, and pose the following question: What on Earth was Google thinking this was implemented? Perhaps now is time to say “Sayonara” to Google Apps, and take a look at alternatives that better preserve your privacy and give you control over your own data.

[Source: Google Play – Review App PermissionsReddit thread by iamtubeman]

Want something on the XDA Portal? Send us a tip!


Pulser_G2 is an editor on XDA-Developers, the largest community for Android users. Developer Admin at xda-developers, interested in everything in mobile and security. A developer and engineer, who would re-write everything in C or Assembler if the time was there. View Pulser_G2's posts and articles here.
Mario Tomás Serrafero · May 26, 2015 at 05:42 pm · 2 comments

Nexus & Cookies: A More Focused Direction?

It is that time of the year again, and we are approaching the day where Android fans all over the world gather to watch the livestream of Google’s I/O conference. Among the expected announcements lay wearables, Android Auto, hints at VR and  the Internet of Things and, of course, a new version of Android. An early glimpse of a supposed “Android M” was caught on the official website before being nuked out of existence, and thus the speculation began.  ...

Faiz Malkani · May 26, 2015 at 03:32 pm · 3 comments

LG G4 US Carrier Release Dates

The LG G4 was announced on April 29th with its Snapdragon 808 SoC, a welcomed change from its higher-end cousin, the overheating 810. Packing 3GB of RAM, 32GB of storage, a 3000mAh battery, and an impressive 16MP camera, the G4 is widely considered to be one of the best flagships of 2015. After almost a month of release speculation, the major US carriers have finally released some information regarding the device's availability, and here's what we know so far:  ...

Faiz Malkani · May 26, 2015 at 02:59 pm · 2 comments

Microsoft Reaches Pre-Install Agreement With New OEMs

As of late, Microsoft has been making a subtle but widespread play into the Android ecosystem, with small apps like Bing Torque being the foreshadowing of the larger ones to come, and as it stands, Skype and the three popular office apps - Powerpoint, Excel and Word - are thriving on the Play Store following their public release earlier this year, prior to which the Office suite remained in beta. Having its top apps on Android was just a stepping stone...

Share This