A Dangerous New Road for Android’s App Permissions

There’s a new, silent, uproar in the Android app community, and it’s involving the way that Google Play handles app permissions.

Android App Permissions

Apparently, a Reddit user by the name iamtubeman discovered a flaw in the way Google Play handles app permissions, especially new or changed permissions.

A little backstory

One of the biggest criticisms of Google Play/Android has always been the pathetic way the systems described what an app can or cannot do. Nobody really understood what the permission meant, so Google opted to “simplify” its permission descriptions. Google describes the process like this:

To help make it easier to understand what an app will have access to, the Play Store has recently made improvements to how permissions are displayed. Permissions are organized into permissions groups, easily identified by icons (example: LocationLocation) to help clarify the most important information and capabilities an app can access on your device. This information can help you make an informed decision more easily on whether you would like to install the app.

Google Play prioritizes the permissions that are most important for you to make an informed decision, displaying them front and center. Using the Play Store’s app review and scanning systems, we are able to evaluate some of the permission requests that were previously displayed in the primary permissions screen, flagging and removing apps with potentially harmful code. As a result, some of the permissions covered by those checks are no longer displayed in the install experience.

Fine. That actually makes a lot of sense and seems to really take care of the confusion.

You’re permitting me to do bad things: Android App Permissions

Unfortunately, according to iamtubeman, that’s not actually what happened. Check out iamtubeman’s description of a possible app exploit:

The application I created used the following permissions in the first version:

android.permission.GET_TOP_ACTIVITY_INFO
android.permission.GET_ACCOUNTS
android.permission.ACCESS_COARSE_LOCATION
android.permission.WRITE_CALL_LOG
android.permission.READ_EXTERNAL_STORAGE
android.permission.SUBSCRIBED_FEEDS_WRITE

Next I created a new version with these additional permissions, all out of the same groups as the ones above:

android.permission.READ_HISTORY_BOOKMARKS
android.permission.READ_PHONE_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_LOCATION_EXTRA_COMMANDS
android.permission.READ_SMS
android.permission.RECEIVE_MMS
android.permission.RECEIVE_SMS
android.permission.SEND_SMS
android.permission.WRITE_SMS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_FORMAT_FILESYSTEMS
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.SUBSCRIBED_FEEDS_READ

As you can see, some of these are really nasty. For example the ability to format your filesystem or to make calls and send SMS without you noticing. Also, while at it, I added these two “silent” permissions (the second one is actually quite harmless)

android.permission.INTERNET
android.permission.WAKE_LOCK

I pushed the new version as an update, and guess what? The Play app swallowed all these dangerous permissions and updated my app without question.

Here’s a picture iamtubeman claims is from the new update:

Permission Tester

If the reddit is true, then Google has a huge problem. At least one naysayer says some of the permissions are meaningless and Android naturally restricts their use.

reddit

Even so, this does not make for an antacid-free stomach.

Solutions?

Personally, I haven’t seen this issue arise, though I honestly haven’t investigated too far.

There are a few solutions to this problem, perhaps the easiest being to restrict automatic updates. You can shut down auto updates system wide or on an individual app level. If you’re going to shut off auto updates, then do it system wide, that’s just my opinion.

System-wide

Open Google Play Store.

Tap Menu > Settings.

Google Play Settings

Tap Auto-update apps.

Auto Update Google Play Apps

Tap Do not auto-update apps.

Google Play Do Not Auto Update

Individual app

Open Google Play Store

Tap My Apps.

Google Play Store My Apps

Select an individual app.

Tap Menu > tap to uncheck Auto update

Auto Update Apps

 

The best we have, for now

This is ultimately the best solution to this horrific issue. We also need massive publicity to get Google moving on this problem.

H/T: Technologist blog

Update: I sent this post to my Google+ feed, and San Diego attorney, Paul McGuire has this awesome comment:

Right, not updating your apps at all is the solution…

If you don’t want apps to be able to report on your location then don’t leave GPS on. No sane mainstream developer would enable something ridiculous like sending out unwanted text messages from individual’s phones. 

You would probably get hit with more security vulnerabilities by not updating your apps than you would by some strange permissions setting that makes you put on your tinfoil hat. 

I’m leaning to Paul’s corner on this one. I should note that I’m not advocating that you don’t update your apps. You can still update and review the permissions for each app manually — think “You have 1 new update”.

Choosing well-known apps by well-known developers is one-half of the key to making sure you’re not getting “murdered.” Any decent developer fears the backlash of bad press for bad permissions more than the information he/she receives. In most cases, the only thing developers are really concerned about is the income available from their applications.

Let's discuss this (you can use Markdown in your comment)

Jeff Taylor

I’m just an ordinary guy living an extraordinary life. I’m also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.