• 5,743,122
    REGISTERED
  • 43,511
    ONLINE NOW

Posts Tagged: permissions

Android-4-3-Permissions

Say it with me: It’s about time! While not officially released yet (and although similar functionality has been possible via root in the past) granular permissions management is unofficially on its way to stock Android. In fact, if you’re willing to take a few seconds to create a custom shortcut, an incredibly easy task on most aftermarket launchers, you can access it now from any Android 4.3 device. There’s even a simple option for those more content with the stock Android 4.3 launcher as well.

Thanks to some sleuth work done by Ron Amadeo over at Android Police, App Ops was discovered in the current build of Android 4.3 (JWR66v). Getting it to work is as simple as creating a custom shortcut that points to the activity: Settings -> App Ops. While this technically offers nothing that wasn’t already possible via root, it’s great that Google is on its way to allowing unrooted users control their privacy so granularly.

As described in the source article linked below, however, the feature is far from perfect. Currently, the permissions that can be toggled only populate after each is used. This is both less intuitive and less functional than simply accessing the list of declared permissions from the app’s AndroidManifest.xml file. Furthermore, there is no user-visible alert when a permission is denied, which would ease troubleshooting if denying a particular permission leads to application issues down the line. That said, it is nice that App Ops allows you to see the last time each permission was used.

While making a shortcut to a specific activity from custom launcher is no big deal, doing so on the stock Android 4.3 launcher is not possible. However, Senior Member mrx8836350 created an installable APK that creates the requisite shortcut for you without the need for a custom launcher. More information on this feature can be found in XDA Recognized Contributor Disturbed™‘s Android 4.3 general information thread. To get the shortcut on the stock launcher, visit mrx8836350′s application thread.

Source: Android Police

[Thanks to XDA Senior Member nikwen for the tip!]

privacy

Android, as an operating system, is fairly unique in that it makes users aware of the permissions available to apps in a fairly transparent way. Compared to Blackberry or iOS, which issue granular prompts such as “Can Angry Birds access your location?” or “Can Instagram access your camera to take photos?” There is a somewhat subtle difference here: The rivals give the user a choice about these requests.

Jump over to Android where, after installing an app, it has free reign to use every permission you agreed to. While this doesn’t sound an issue, let’s take a look at the Play Store. Let’s look at a nice, popular app (for better or for worse): Facebook.

The Facebook app has permissions to:

  • Create accounts and set passwords for those accounts, and add or remove accounts - this allows Facebook to store its account login using the AccountManager, and is good to see
  • access your accurate (GPS) location and network location - this is to allow for geo-tagging of posts and status updates, which some people might want, but others may be very against. More on this later.
  • full network access - Google lacks a way to give an app selective internet access, so this is needed, much as it might be nice to limit the remote servers an app can communicate with
  • directly call phone numbers - I confess to not researching this one – I am fairly sure Facebook lets you tap a phone icon to call someone. Would it really be so bad to just let you confirm you want to call, and avoid this permission? How long until we see profiles listing premium rate numbers as their phone number?
  • read your phone status and identity - This one is a privacy stealer – while allowing an app to tell if a call is active or not, it also is fairly invasive, allowing an app to obtain your phone number, IMEI, IMSI, device ID (etc), and if you are on a call, the phone number you are connected to!
  • read to and write from USB storage devices - Perhaps this is for caching of files, but maybe a tad excessive?
  • install shortcuts on your homescreen without user interaction - Not sure when this is used, but the permission is there, so it might like to self-promote Facebook services?
  • read your detailed battery statistics - As described in the descriptions, this gives low-level battery use data, and can allow the app to find out what other applications you use.
  • see what other apps are running - Likely for the Facebook Home feature, again allows Facebook to see what apps are running
  • take photos and videos at any time without prompting - Rather concerning, allows the Facebook app to take photos or videos whenever it wants, without prompting or alerting you
  • draw over other applications – Likely for the Chat Heads feature of messenger, although why that’s not a permission in the messenger app is a good question

Getting tired and out of breath yet? It’s not over yet though! Facebook can also:

  • write to your call log - Why? Just why? This allows for call log erasing and writing
  • read from your call log – and thus see all the calls you have made, and when, and for how long, and who they were to
  • read your contacts - while useful if you sync Facebook contacts, many people  don’t want Facebook to have full reign over their contacts
  • write to your contacts - pretty much as above

What is perhaps most disconcerting is that while Google acknowledges openly the risks in each permission (I suggest you take a read at the detailed description of some of the permissions on a Play Store listing), the company takes no steps to help you with this. Thus, the entire Android ecosystem is built around you trusting the developer to play fair, and not do anything dodgy.

Unfortunately. This. Doesn’t. Happen. It really seems clear that many app developers just DO NOT UNDERSTAND SECURITY. Full stop.

And while I might be unique in my recommendation (which I firmly believe is warranted in this day and age given recent information revealing the extent of mass surveillance that is ongoing) to trust nobody, not even yourself. For this reason, I suggest the Android permissions system is totally flawed, in relying on developers to not abuse permissions, and not request excessive permissions. How many torch apps on Android have more than the required camera permission (to enable the camera)? I’d suggest most do, feel free to take a look!

You’d think the Android community would rally against such behaviou, but it’s reached a point where it is acceptable for developers to declare a need for excessively gratuitous permissions in order to use their apps. What happened to user choice? I then was pointed towards this post on G+ by Steve Kondik (XDA Recognized Developer cyanogen), which I read with much dismay. While I do not use G+ (closed platform, requiring far too much data to be disclosed to Google), I would suggest that with respect, the need for user privacy and security MUST come first, as it’s clear app developers cannot “do” security.

Perhaps if Google introduced zero tolerance for moronic errors in security (plaintext passwords, gathering contacts data, obtaining device IDs that are not hashed suitably with a cryptographic hash etc), it might offer an incentive to consider security? Given many users (wrongly) reuse passwords between services, the sending of plaintext passwords should be sufficient, in this author’s opinion, to justify immediate removal of all of a developer’s apps from the Play Store, forever.

Some people just don’t know how to do security. And for them, I sigh. Users deserve security, and privacy, and unless you go ahead and look at the OpenPDroid project on XDA (which I strongly suggest you check out), you are pretty much being abandoned by even the leader of CyanogenMod. While I appreciate his concerns for app developers, it is simply inexcusable to not look into fixing the glaring hole that is contacts access. This is 2013, the era of social engineering, and I cannot choose selectively which apps see which contacts in my address book? REALLY?

Something needs to happen here, before people wake up and smell the coffee, and realize this isn’t sustainable. It’s time users became more aware about what apps are doing, and the extent of data mining that is ongoing. It’s your data, and it should be entirely your choice who gets it.

You shouldn’t have to avoid an app because you don’t like the look of its permissions; you should be able to (whether as stock Google feature, or custom ROM feature) be able to selectively decline to allow an app to access your data. And this should be done gracefully, either providing empty data (for contacts, or similar), or null data (i.e. requesting phone number or IMEI should return the same response as a tablet lacking these identifiers).

Is it right to deny your users the choice, to make life “easier” for app developers? (arguably to allow them to capture user data more easily) I argue it’s not, and it’s time the Android community unites to put an end to apps having free reign over YOUR data. If this concerns you, why not check out the aforementioned OpenPDroid (and similar) projects on XDA, and see if you can help out, or test, or contribute to the cause?

Advertisement

XDA TV: Most Recent Video

Buy/Sell on Swappa

  • Nexus 5 (Unlocked) buy | sell
  • Galaxy Note 3 (T-Mobile) buy | sell
  • HTC One M7 (Verizon) buy | sell
  • Galaxy S 5 (Unlocked) buy | sell
  • Nexus 7 2013 buy | sell
  • Swappa is the official marketplace of XDA