There’s a new, silent, uproar in the Android app community, and it’s involving the way that Google Play handles app permissions.
Apparently, a Reddit user by the name iamtubeman discovered a flaw in the way Google Play handles app permissions, especially new or changed permissions.
A little backstory
One of the biggest criticisms of Google Play/Android has always been the pathetic way the systems described what an app can or cannot do. Nobody really understood what the permission meant, so Google opted to “simplify” its permission descriptions. Google describes the process like this:
To help make it easier to understand what an app will have access to, the Play Store has recently made improvements to how permissions are displayed. Permissions are organized into permissions groups, easily identified by icons (example: Location) to help clarify the most important information and capabilities an app can access on your device. This information can help you make an informed decision more easily on whether you would like to install the app.
Google Play prioritizes the permissions that are most important for you to make an informed decision, displaying them front and center. Using the Play Store’s app review and scanning systems, we are able to evaluate some of the permission requests that were previously displayed in the primary permissions screen, flagging and removing apps with potentially harmful code. As a result, some of the permissions covered by those checks are no longer displayed in the install experience.
Fine. That actually makes a lot of sense and seems to really take care of the confusion.
You’re permitting me to do bad things: Android App Permissions
Unfortunately, according to iamtubeman, that’s not actually what happened. Check out iamtubeman’s description of a possible app exploit:
The application I created used the following permissions in the first version:
Next I created a new version with these additional permissions, all out of the same groups as the ones above:
As you can see, some of these are really nasty. For example the ability to format your filesystem or to make calls and send SMS without you noticing. Also, while at it, I added these two “silent” permissions (the second one is actually quite harmless)
I pushed the new version as an update, and guess what? The Play app swallowed all these dangerous permissions and updated my app without question.
Here’s a picture iamtubeman claims is from the new update:
If the reddit is true, then Google has a huge problem. At least one naysayer says some of the permissions are meaningless and Android naturally restricts their use.
Even so, this does not make for an antacid-free stomach.
Personally, I haven’t seen this issue arise, though I honestly haven’t investigated too far.
There are a few solutions to this problem, perhaps the easiest being to restrict automatic updates. You can shut down auto updates system wide or on an individual app level. If you’re going to shut off auto updates, then do it system wide, that’s just my opinion.
Open Google Play Store.
Tap Menu > Settings.
Tap Auto-update apps.
Tap Do not auto-update apps.
Open Google Play Store
Tap My Apps.
Select an individual app.
Tap Menu > tap to uncheck Auto update
The best we have, for now
This is ultimately the best solution to this horrific issue. We also need massive publicity to get Google moving on this problem.
H/T: Technologist blog
Right, not updating your apps at all is the solution…
If you don’t want apps to be able to report on your location then don’t leave GPS on. No sane mainstream developer would enable something ridiculous like sending out unwanted text messages from individual’s phones.
You would probably get hit with more security vulnerabilities by not updating your apps than you would by some strange permissions setting that makes you put on your tinfoil hat.
I’m leaning to Paul’s corner on this one. I should note that I’m not advocating that you don’t update your apps. You can still update and review the permissions for each app manually — think “You have 1 new update”.
Choosing well-known apps by well-known developers is one-half of the key to making sure you’re not getting “murdered.” Any decent developer fears the backlash of bad press for bad permissions more than the information he/she receives. In most cases, the only thing developers are really concerned about is the income available from their applications.