Beginner's Guide to Android
Android PSA: Read security permissions before installing an Android app
July 29, 2010 | by Andrew Kameka
Beginner's Guide to Android, Tips
Hey there, Android fans. You may wake-up this morning to discover that there’s an allegedly rogue application in the Android Market that is stealing people’s data when installed. According to a security firm that happens to offer mobile security software, this app disguises itself as a wallpaper downloader, then grabs users personal information – SIM card number, SMS messages, and voicemail subscriber info – and then sends that data to a server in China.
Now, aside from the opportunistic nature of a security firm being the one to report this, there’s an obvious lesson here that thousands of Android users have yet to grasp. That lesson is that they need to read the permissions requests whenever they install an Android app. Always.
Before an app can be installed, Android displays a page explaining to users what type of functions that app wants to perform. Familiarize yourself with that screen because it is your friend. It will tip you off when an app has questionable motives, and will allow you to use common sense about which apps to install and which apps to run away from. The screen typically looks like this:
A screenshot of MixZing, which is NOT the supposedly malicious app
Look at permissions requested by the supposedly malicious app, Wallpapers:
- Your Location
- Network communication (full internet access, view network state)
- Storage (modify delete SD card contents)
- Phone calls (read phone state and identity)
- System tools (set wallpaper)
Does that look right to you? Of course not. It raises suspicion that an app designed to change my wallpaper needs to know where I’m located or who I make calls to. The only permissions it really needs are Storage and System Tools, which tips me off that I shouldn’t be installing this app.
UPDATE: The developer of the app claims that he collects device data because users requested it so they can more easily use the app if they have to wipe the phone and reinstall the app.
There are some Android apps that legitimately need to know that type of information. Locale changes settings based on GPS coordinates, so it makes sense that it wants to know my location; Phonebook replaces the default dialer and contacts app, so it has a right to request Phone call permission; MixZing downloads information from the web for playback, so it should request Network communication. However, some ringtones, wallpapers, games, etc., have no reason for requesting such information. Unless the app describes a particular feature that would require that permission, you have to question the developer’s motives.
Android is an open platform, so there’s no walled garden protecting users from questionable practices. The benefit of having a phone that provides more freedom with apps means that you also have to take on the responsibility of policing your device. Always read the permissions before installing and think about why certain apps make certain requests.
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
More about this app
I think some app developers just tick off permissions, just because they can: the NY Times app for examples needs the "can make phone call" permission. It's a legit app, but I don't see why they need it.
Policing your phone would be a lot easier if devs just stick to the permissions their apps need.
On the other hand, you shouldn't necessarily not install an app because you don't know what the permissions are for. You can always send an email to the dev.
I'm a developer. I use Flurry for analytics in most of my apps. It requires location permissions. If I want to use autocomplete for email address in the user's contact list, I need the app to have permission to access contacts. If I have an app with advertising, most ad providers require a slew of permissions because they try to use device and usage patterns to effectively target advertising. Many legitimate apps may have permission requests that don't seem to be integral to the core function of the app, but that doesn't mean the dev is trying to invade your privacy or steal your information.
So far I've emailed three developers asking why their apps require access to make phone calls, and not a single one has replied. Any way you slice it, that feels *really* creepy. The worst part is that more than half the apps I've seen require that kind of access to the phone, with no real indication of *why*.
I wonder whether this is a result of either an incredibly large number of scam apps, or perhaps there is a relatively innocent and legitimate function of the apps that simply can't be accessed by the developer without also accessing the APIs that give the program the power to make phone calls and read phone state.
That developers like you feel entitled to collect “analytics” and users lack fine-grain control over allowing and denying permissions is one of the major hurdles that Android needs to jump before becoming the reasonable computing platform that it portends to be.
Just because you need, as an example, address book access for auto-complete features, there’s nothing to restrict you to only using it for that functionality. A much better system would be to allow users to grant/deny specific requests while still using applications; ideally, denied permissions would be proxied with dummies – your bloated, advertising ridden, information gathering crapware would detect that my longitude and lattitude are both zero because my GPS can’t get a signal, packets that you send out are mysteriously dropped, contact lists are empty, etc.
It’s my device, not yours. I require the power to control what’s going on, and right now way, way, way too much power is given to application developers, content providers, and equipment vendors. Someone needs to slap these guys in the face until their ethics improve, while simultaneously beating on Google until the system is sufficiently secure.
Thank you, Loyal customer.
I really hope you or some one is brewing up a security app just as you describe.
I know I am unwilling to grant many of these God like powers to such corporate interests. If I want to tell them what I’m building, thinking, or who I’m running with, I’ll hold press conference or send them an email. So much of our reality and world is being run with ease by Home Land Security (and their equivalents) with the help and assistance of such monsters as Google and FaceBook. Even Foxfire’s permissions provide more than enough bandwidth for rape and pillage, and inquisition like destruction of identities and access to those bodies too, searched and identified by allegiances connections or pursued concerns.
Anyone remember when the term ‘anonymous request’ was part of the great potential of the internet?
Apps that are ad supported could be requesting location legitimately, ads can be location based, and I believe they pay more when they are. MixZing for example, has no need of location for it's primary function. Sure, they now provide a couple social components that may use it, but it has had that permission since inception, long before it had social components.
Why do some apps (like US Constitution App) need to read phone state and identity?
It would be very helpful if you could give more information like this: "There are some Android apps that legitimately need to know that type of information. Locale changes settings based on GPS coordinates, so it makes sense that it wants to know my location; Phonebook replaces the default dialer and contacts app…" or if there is somewhere you could suggest that I can look into the types of permissions further. I'm not sure contacting the developer as suggested by a developer every time would be helpful, especially if they are not on the level. I would be more comfortable having this information from your blog or a security firm like lookout or even google. I think it would be a good way for android users to better determine if they want to download an app or not. I have looked at some apps recommended here and didn't quite understand why they were asking for some of the permissions that were asking for. If it wants access to too much of my phone, I am very leary about downloading it.
I also meant to ask how do you look on your phone and see if you have wallpaper from Jackeey Wallpaper?
go to the Android Market and press Menu > Downloads. browse through th elist and see if it comes up.
The location is for ads and the phone state is so that it moves to the background when a call come sin
Right!
I see 2 solutions to this problem. 1. a premium security subscription where many popular apps would be either have their coding checked, or be deeply analyzed – then corresponding warnings would appear when a user was about to download or already has downloaded it. 2. A Web Of Trust app (firefox addon, check it out) or equivalent system for users to report problems with apps. Users could simply tap a button to give warning of an application, of course the ratings and comments already do this to a degree, so any web of trust like app would need to focus on security.
I recently started using the app, aSpotCat
http://www.appbrain.com/app/com.a0soft.gphone.aSp…
It's an application that displays what permissions the applications you have installed require. Great for auditing or checking things. It's also a great tool to learn what all permissions are out there and what they do.
Almost every app says it needs to read your phone state and identity. Android needs to break that down more so to make it helpful to users.
The real problems here are:
1: The possible permissions are not fine grained enough (in order to for the app to do its thing, it must almost always set permissions beyond what it really needs).
2: It is not possible on a non-rooted phone to override the permissions an app specifies.
One can view the permissions on all previously installed applications on his Android phone without installing another app. Just go to Settings>Applications>Manage applications>Permissions.