Play Store Permissions Change Opens Door to Rogue Apps
XDA is normally about the latest and greatest. Whether we’re talking about the latest firmware revision or device, most people in the Android tech community favor being on the bleeding edge. Sometimes, however, the latest isn’t necessarily the greatest or the best way forward. As we recently covered here on the XDA Portal, Google released a new version of the Play Store, which among other things, allows the use of PayPal to purchase apps and simplifies the permissions interface shown to users.
Under this happy facade, however, is a somewhat more sinister change. The permissions system in Android, which has protected users since Android hit consumer devices in 2008, was significantly (and fairly quietly) watered down by Google in this Play Store update. Previously, when an application update requested additional permissions, users would be notified and have to accept the change before updating. This continued when automatic updates were introduced, as applications with permission changes would require a manual update and approval of the new permissions.
This system worked fairly well. If an app changed its permission needs, you’d be notified, and could choose whether to accept the update. With the most recent Play Store update, however, users are not told about certain permission changes if they don’t result in the addition of permissions to a new group. Given the sheer breadth of permissions a group now covers, this effectively leaves Android with only 13 permissions. An application can quietly update itself in future, to grant itself access to further permissions within a group, with the user left none the wiser.
Once an app is granted an individual permission within a group, that application has the ability to add any other permissions from the group in a future update, without users being notified of the change. To quote Google:
You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted.
For example, contacts and calendar permissions are now grouped into one. An app with the ability to read your contacts could, without you receiving clear and prominent notices, add calendar permissions to the group. This would allow the application full access to snoop through your calendar, and even send Emails to calendar appointment guests, without your consent.
Likewise, the “Phone” permissions group allows access to directly call phone numbers, which is useful in a variety of different contexts. However, it also contains permissions to read and write call logs, reroute your outgoing calls to different destinations, and make calls without your intervention.
Google also made the decision that users shouldn’t necessarily be aware if applications have access to the Internet, so this permission is now hidden under “other,” meaning that by default, users won’t see it. Their rationale is that most apps use Internet access, and therefore users don’t need to know. Funnily enough, one of the best ways to actually protect your privacy is to prevent apps from communicating with the Internet. After all, if an app cannot send home the data it gathers about you, you are quite well protected. Obviously there’s more than one way to skin a cat, but if users want to be safe, they need to have information about whether or not an application uses the Internet. Thus, Internet access to apps should not be a given, in this day and age of privacy concerns. This shows that Google is out of touch with user privacy, once again.
So what can we do about this? For now, the best thing to do is ensure you disable automatic updates for apps, and carefully and diligently review the permissions requested by expanding all of the categories. You could also consider using an app that lists the individual permissions used by each application.
Redditor iamtubeman posted a thread where he talks about this further, and demonstrates just how an application with a tiny number of permissions could be used as a gateway into your device with an updated version with much more intrusive permissions. For example, he created an application using:
android.permission.GET_TOP_ACTIVITY_INFO android.permission.GET_ACCOUNTS android.permission.ACCESS_COARSE_LOCATION android.permission.WRITE_CALL_LOG android.permission.READ_EXTERNAL_STORAGE android.permission.SUBSCRIBED_FEEDS_WRITE
This was able to be updated to allow the following additional permissions, none of which the user would be explicitly warned about.
android.permission.READ_HISTORY_BOOKMARKS android.permission.READ_PHONE_STATE android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_LOCATION_EXTRA_COMMANDS android.permission.READ_SMS android.permission.RECEIVE_MMS android.permission.RECEIVE_SMS android.permission.SEND_SMS android.permission.WRITE_SMS android.permission.WRITE_EXTERNAL_STORAGE android.permission.MOUNT_FORMAT_FILESYSTEMS android.permission.MOUNT_UNMOUNT_FILESYSTEMS android.permission.SUBSCRIBED_FEEDS_READ
And there you have it. Your app with fairly standard permissions could now (after a small update that says nothing about the permissions) monitor and store your browsing habits, indexed by your IMEI number. Meanwhile, you would be getting tracked by GPS in real time, with your location data being constantly uploaded. The SMS messages you send and receive would also be getting scanned and monitored, and their contents indexed, along with all your documents and files on your SD card, including your photos (to try and find photos of yourself). Then once those compromising holiday snaps have been located and your intimate browsing history has been extracted, your device could be wiped. You could then be contacted by SMS, demanding money, otherwise your browsing history would be sent to your boss, along with your compromising holiday snaps.
This is not some sci-fi film plot, or storyline from Watch Dogs; this is something that could be done today, on your phone, without you even knowing about it. I believe there is a need for Google to take action quickly to not only reverse this change, but head in the other direction and make users much more aware of what is happening on their phones.
How can we fix this?
It’s easy for writers to criticize and complain, but few offer their own solutions. So here goes, with how I would solve this problem. First, Google is going in the wrong direction with regards to privacy. Apple, the epitome of simplicity and having decisions made for you, introduced a number of good privacy features in iOS 8. Being a closed source operating system, however, these changes are of no use to the tweaking community. However, it does show that the market is heading towards enhanced privacy. To that end, iOS 8 will use random MAC addresses when scanning for WiFi networks, in order to help prevent tracking of individuals around shopping malls and other public locations that try to identify users based on their phone WiFi signals.
Having ascertained that the market needs to move towards greater user control (with iOS 8 again adding a specific warning when a keyboard application tries to access the Internet in order to prevent keyloggers), I think it’s time to define some better categories, with clearer warnings of the risks they pose to when their constituent permissions granted. In an ideal world, you would be able to grant these permissions in real time, and be able to deny access to permissions:
- Your Identity – These permissions allow apps to identify you or your device uniquely, and could be used to track you. You should avoid giving these permissions to apps you do not trust entirely, as they can identify you uniquely, either by name and email address, or by your device’s serial numbers.
- Your Data – These permissions allow applications to access data you hold on the phone. This may include your photographs, videos or documents you have stored on your device. You should only grant these permissions to apps you trust
- Your Communications – These permissions allow applications to see who you communicate with, and the contents of messages, as well as to make communications of its own. You should only grant these permissions to apps you trust to not steal or sell your private information
- Your Surroundings – These permissions grant applications to record audio and video from your device camera and microphone. You should be cautious of applications which use these permissions, as they can listen to you without your knowledge, or take photographs/videos of you or your surroundings without your knowledge
- Your Location – These permissions allow applications to access your geographical location with various degrees of precision. You should not grant this permission unless you trust that the app cannot share this information with other people. Accurate location data can identify where your house or workplace is, or indeed where in a particular street you are located, and should be treated with extreme caution.
- The Internet – Applications using this permission have access to the internet. You should not grant this permission unless an application isn’t gathering other personal information from your device via permissions, as it could share the data it gathered with other people or services.
And there you have it—much more transparent categories that inform users of the true risks to their privacy by allowing such permissions. I would place a lot of money on app developers hating this. And if they did, I’d feel as if I did my job right. This would mean that users were taking back control of their devices and their data. Nobody in their right mind would install a torch application if it required access to “identify you or your device uniquely,” with some properly written warnings that make users aware of just what is possible with the data on offer.
I’d suggest you take a look at iamtubeman’s reddit thread, as it shows just how much he was able to do in his own testing thanks to this change, which he believes to be “very very stupid.” It also affects all Android users who install applications through Google Play. From having looked at it myself, I must concur, and pose the following question: What on Earth was Google thinking this was implemented? Perhaps now is time to say “Sayonara” to Google Apps, and take a look at alternatives that better preserve your privacy and give you control over your own data.