I don't know if this question has already be posted in past, there is an year old discussion about sending SMS without permissions using the same evil mechanism.
The READ_PHONE_STATE permission is largely used for example when a developer has to prevent actions while a phone call is in progress, like sounds or speeches or simply to get a device ID. My concerns about this permission increase when recently I discovered that it allows anyone (and not only Google) to get the IMEI (as phone ID) and even the IMSI (with all the 15 digits on some phone like mine). These information are considered highly sensitive also for the service provider, that limit their transmission and distribution to avoid cloning and spoofing. Nevertheless most of the apps in the play store uses this permission together with the full network access permission. I think that READ_PHONE_STATE should be divided in three different permissions : 1 – something to read information about the current state of the phone ( calling ringing etc …) 2 – a “READ_PHONE_UID” to read a unique phone ID that should be an hash code of the IMEI rather than the IMEI itself, for the app licensing. 3 – something to read all the information about the SIM CARD and the PHONE itself. In this way the user would have a better choice to install or avoid a potentially harmful apps. Am I wrong ? -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
