Pulser_G2 · Jun 10, 2014 at 05:30 am

Play Store Permissions Change Opens Door to Rogue Apps

XDA is normally about the latest and greatest. Whether we’re talking about the latest firmware revision or device, most people in the Android tech community favor being on the bleeding edge. Sometimes, however, the latest isn’t necessarily the greatest or the best way forward. As we recently covered here on the XDA Portal, Google released a new version of the Play Store, which among other things, allows the use of PayPal to purchase apps and simplifies the permissions interface shown to users.

Under this happy facade, however, is a somewhat more sinister change. The permissions system in Android, which has protected users since Android hit consumer devices in 2008, was significantly (and fairly quietly) watered down by Google in this Play Store update. Previously, when an application update requested additional permissions, users would be notified and have to accept the change before updating. This continued when automatic updates were introduced, as applications with permission changes would require a manual update and approval of the new permissions.

This system worked fairly well. If an app changed its permission needs, you’d be notified, and could choose whether to accept the update. With the most recent Play Store update, however, users are not told about certain permission changes if they don’t result in the addition of permissions to a new group. Given the sheer breadth of permissions a group now covers, this effectively leaves Android with only 13 permissions. An application can quietly update itself in future, to grant itself access to further permissions within a group, with the user left none the wiser.

Once an app is granted an individual permission within a group, that application has the ability to add any other permissions from the group in a future update, without users being notified of the change. To quote Google:

You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted.

For example, contacts and calendar permissions are now grouped into one. An app with the ability to read your contacts could, without you receiving clear and prominent notices, add calendar permissions to the group. This would allow the application full access to snoop through your calendar, and even send Emails to calendar appointment guests, without your consent.

Likewise, the “Phone” permissions group allows access to directly call phone numbers, which is useful in a variety of different contexts. However, it also contains permissions to read and write call logs, reroute your outgoing calls to different destinations, and make calls without your intervention.

Google also made the decision that users shouldn’t necessarily be aware if applications have access to the Internet, so this permission is now hidden under “other,” meaning that by default, users won’t see it. Their rationale is that most apps use Internet access, and therefore users don’t need to know. Funnily enough, one of the best ways to actually protect your privacy is to prevent apps from communicating with the Internet. After all, if an app cannot send home the data it gathers about you, you are quite well protected. Obviously there’s more than one way to skin a cat, but if users want to be safe, they need to have information about whether or not an application uses the Internet. Thus, Internet access to apps should not be a given, in this day and age of privacy concerns. This shows that Google is out of touch with user privacy, once again.

So what can we do about this? For now, the best thing to do is ensure you disable automatic updates for apps, and carefully and diligently review the permissions requested by expanding all of the categories. You could also consider using an app that lists the individual permissions used by each application.

Redditor iamtubeman posted a thread where he talks about this further, and demonstrates just how an application with a tiny number of permissions could be used as a gateway into your device with an updated version with much more intrusive permissions. For example, he created an application using:


This was able to be updated to allow the following additional permissions, none of which the user would be explicitly warned about.


And there you have it. Your app with fairly standard permissions could now (after a small update that says nothing about the permissions)  monitor and store your browsing habits, indexed by your IMEI number. Meanwhile, you would be getting tracked by GPS in real time, with your location data being constantly uploaded. The SMS messages you send and receive would also be getting scanned and monitored, and their contents indexed, along with all your documents and files on your SD card, including your photos (to try and find photos of yourself). Then once those compromising holiday snaps have been located and your intimate browsing history has been extracted, your device could be wiped. You could then be contacted by SMS, demanding money, otherwise your browsing history would be sent to your boss, along with your compromising holiday snaps.

This is not some sci-fi film plot, or storyline from Watch Dogs; this is something that could be done today, on your phone, without you even knowing about it. I believe there is a need for Google to take action quickly to not only reverse this change, but head in the other direction and make users much more aware of what is happening on their phones.

How can we fix this?

It’s easy for writers to criticize and complain, but few offer their own solutions. So here goes, with how I would solve this problem. First, Google is going in the wrong direction with regards to privacy. Apple, the epitome of simplicity and having decisions made for you, introduced a number of good privacy features in iOS 8. Being a closed source operating system, however, these changes are of no use to the tweaking community. However, it does show that the market is heading towards enhanced privacy. To that end, iOS 8 will use random MAC addresses when scanning for WiFi networks, in order to help prevent tracking of individuals around shopping malls and other public locations that try to identify users based on their phone WiFi signals.

Having ascertained that the market needs to move towards greater user control (with iOS 8 again adding a specific warning when a keyboard application tries to access the Internet in order to prevent keyloggers), I think it’s time to define some better categories, with clearer warnings of the risks they pose to when their constituent permissions granted. In an ideal world, you would be able to grant these permissions in real time, and be able to deny access to permissions:

  • Your Identity - These permissions allow apps to identify you or your device uniquely, and could be used to track you. You should avoid giving these permissions to apps you do not trust entirely, as they can identify you uniquely, either by name and email address, or by your device’s serial numbers.
  • Your Data - These permissions allow applications to access data you hold on the phone. This may include your photographs, videos or documents you have stored on your device. You should only grant these permissions to apps you trust
  • Your Communications - These permissions allow applications to see who you communicate with, and the contents of messages, as well as to make communications of its own. You should only grant these permissions to apps you trust to not steal or sell your private information
  • Your Surroundings - These permissions grant applications to record audio and video from your device camera and microphone. You should be cautious of applications which use these permissions, as they can listen to you without your knowledge, or take photographs/videos of you or your surroundings without your knowledge
  • Your Location – These permissions allow applications to access your geographical location with various degrees of precision. You should not grant this permission unless you trust that the app cannot share this information with other people. Accurate location data can identify where your house or workplace is, or indeed where in a particular street you are located, and should be treated with extreme caution.
  • The Internet – Applications using this permission have access to the internet. You should not grant this permission unless an application isn’t gathering other personal information from your device via permissions, as it could share the data it gathered with other people or services.

And there you have it—much more transparent categories that inform users of the true risks to their privacy by allowing such permissions. I would place a lot of money on app developers hating this. And if they did, I’d feel as if I did my job right. This would mean that users were taking back control of their devices and their data. Nobody in their right mind would install a torch application if it required access to “identify you or your device uniquely,” with some properly written warnings that make users aware of just what is possible with the data on offer.

I’d suggest you take a look at iamtubeman’s reddit thread, as it shows just how much he was able to do in his own testing thanks to this change, which he believes to be “very very stupid.” It also affects all Android users who install applications through Google Play. From having looked at it myself, I must concur, and pose the following question: What on Earth was Google thinking this was implemented? Perhaps now is time to say “Sayonara” to Google Apps, and take a look at alternatives that better preserve your privacy and give you control over your own data.

[Source: Google Play – Review App PermissionsReddit thread by iamtubeman]

Want something on the XDA Portal? Send us a tip!


Pulser_G2 is an editor on XDA-Developers, the largest community for Android users. Developer Admin at xda-developers, interested in everything in mobile and security. A developer and engineer, who would re-write everything in C or Assembler if the time was there.
Emil Kako · Mar 29, 2015 at 06:47 pm · 4 comments

Has ART Made a Noticeable Jump in App Performance?

We've received mixed reports about switching to ART but it seems that the majority of users who make the jump see some type of improvement. But just how noticeable is this improvement in app performance? Let us know if switching to ART has brought noticeable changes to your device's performance.

Aamir Siddiqui · Mar 29, 2015 at 06:02 pm · 3 comments

Samsung Galaxy S6 Edge Drop Test

The Samsung Galaxy S6 and Galaxy S6 Edge are already proving to be amongst the head turners of 2015. From favoring their inhouse Exynos 7 SoC over the Snapdragon 810 SoC (which ended up causing issues to its main rival); to ditching the removable battery and micro sd card slot in favor of a more "premium" device, the flagship duo have a lot going on for them at this stage. Regarding the premium redesign which replaced plastic with metal and glass,...

Mario Tomás Serrafero · Mar 29, 2015 at 12:02 pm · 1 comment

Sunday Debate: Corporate Cyanogen Good for Android?

Join us in a fun Sunday Debate on Cyanogen Inc. Come with your opinions and feel free to read some of our thoughts, then pick your side or play devil’s advocate to get your voice heard and engage in friendly discussion. You can read our food-for-thought or jump straight into the fray below!     CyanogenMod is widely recognized across XDA for its solid performance, great feature set and far-reaching (and also long-lasting) support for all sorts of devices, from...

Share This