All Your App Permissions Are Belong To Us….


Android Police provided a poll recently that asked a very basic question. Do You Actually Read the App Permissions Before Accepting?

.

I just knew that people were going to say “yes.” I said to myself, what a dumb question. Well, I was floored by the response. There is no explanation that my tiny brain can come up with that supports the polls results.

.

As of 1AM 7/19/11 those results are:

.

  • Sometimes – depends on the app. (49%, 696 Votes)
  • No. I like to live life on the edge, baby! (24%, 344 Votes)
  • Yes. I’m pretty uptight about security all around. (16%, 222 Votes)
  • Yes. The Market is too much like the Wild West right now. (11%, 160 Votes)

.

You are kidding me, right? Nearly 75% of those who voted (and it’s likely higher – nobody likes to admit to doing something wrong) said NO or just sometimes. Insert shock face.

.

App Permissions are important guys. You need to analyze (Edit, removed “scrutinize” to not sound too harsh) them when installing apps. It’s not hard, just ask yourself for each permission – why does this app need to be able to do this?

.

Hopefully you can quickly say to yourself, oh… it’s a free app, it must need the Internet for ads. Oh, this app sends a text message, that’s why it needs access to my contacts. If you can’t justify it, especially if it’s not a well known app – Email the developer and ask! They do not bite.

.

Please only buy / download your apps from legit Markets (Google, Amazon, etc) and NOT from the 3rd party sites (those that offer Paid apps for a monthly fee or that insert app permissions the developer didn’t originally request). Most of the malware has been found on those 3rd party sites. The official Market has certainly had what I consider “many” of their apps removed for being malicious too though. It’s not immune to these concerns.

.

Okay, but what if you do not know what the App Permissions really mean….

.

Yeah, I agree with you. That is Google’s fault it my eyes. They gave us just enough information, but not enough to really understand. So, below is a list of the permissions that I typically question the most:

.

Your personal information – read contact data

Remember to ask yourself, why would this app need this? Does it allow you to share a link / file / location with your friends via email or text? Yes? Well, that makes sense. If the app does not have this functionality…. well, I’d certainly wonder why it needed to read my contacts information.

.

Phone calls – read phone state and identity

I’m certain you have all seen this one. It is used way too often. Phone state would be for times when you are playing a game, and your phone rings. Okay, I am cool with that – but my phone identity? This could allow an app to see your IMEI and if it also asked for Internet Access, well, who knows what it could do. Developers can use this for many reasons, mostly legit reasons… but I want to feel comfortable with the app / developer before I grant access to it. I’ve read this app is required to support Android 1.5 (Cupcake) which is less than 3% of users – some developers just opt to not include support for 1.5 (hey Fragmentation). I’ve also read this was common because the Droid 2 (and several others) from Motorola all were released with the exact same unique (ha) identifier. Well, if an app has targeted ads (many do) then they are not able to support your phone unless they can find a unique identifier to your phone. I plan to write more on this at a later date (researching it more).

.

Network communication – full internet access

Does the app have ads? If so… obvious here. If not and there doesn’t seem to be a need, question it. I am very sensitive when this and my phone identity is combined with full Internet access. Again, I’m not saying it is wrong, and very rarely do I say to myself that I will refuse to get an app (or update one)… but I use caution. I read the privileges that I am granting.

.

Now, my suggestions for Google to improve…

.

Why in the world do the descriptions have to be so vague? Not only are they too vague, but to make matters worse they lump things together. It would be nice if they were broken up and better defined in their description.

.

For example, the permission Phone calls – read phone state and identity.

.

It would be awesome if Phone State and Phone Identity were two separate permissions! One is of NO concern to me (ie, playing a game and the phone rings), the other is HUGE (oh, Russia, here is my IMEI, have fun). Unfortunately for developers, this permission is often needed….

.

The problem there is that means those who want to cause harm can get away with it more easily, because you are accustomed to it. You are used to seeing an app need your phones identity, because some apps need to read your phone state (and not your identity).

.

Closing thoughts… Please (especially if I am in your Contacts, ha) check the App Permissions… please email developers if you question something… please tell Google that you want to see Permissions better defined and broken up. Oh, and please help spread the word about my blog. This is pointless if people don’t get exposed to it… I certainly appreciate feedback and linking to my articles! Thank you guys!

Advertisements

About s15274n

I will do what I can to help support the Android Community!

Posted on July 19, 2011, in Advocate, Malware and tagged , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: