On Fri, May 8, 2015 at 10:02 AM, Dhiraj Agarwal <[email protected]> wrote: > As we know every app on play store has some permission which is listed at > the time of download of application and later on can view through app > settings. > > Now a days about 30% to 50% user know about the use of some or all > permission but they still don't know how much security risk (HIGH, MEDIUM, > LOW) that permissions has. > > So i want to know is there any official white list launch by Google which > specify the risk score or risk level according to permissions. > And related: http://www.xda-developers.com/play-store-permissions-change-opens-door-to-rogue-apps/
XDA is normally about the latest and greatest. Whether we’re talking about the latest firmware revision or device, most people in the Android tech community favor being on the bleeding edge. Sometimes, however, the latest isn’t necessarily the greatest or the best way forward. As we recently covered here on the XDA Portal, Google released a new version of the Play Store, which among other things, allows the use of PayPal to purchase apps and simplifies the permissions interface shown to users. Under this happy facade, however, is a somewhat more sinister change. The permissions system in Android, which has protected users since Android hit consumer devices in 2008, was significantly (and fairly quietly) watered down by Google in this Play Store update. Previously, when an application update requested additional permissions, users would be notified and have to accept the change before updating. This continued when automatic updates were introduced, as applications with permission changes would require a manual update and approval of the new permissions. This system worked fairly well. If an app changed its permission needs, you’d be notified, and could choose whether to accept the update. With the most recent Play Store update, however, users are not told about certain permission changes if they don’t result in the addition of permissions to a new group. Given the sheer breadth of permissions a group now covers, this effectively leaves Android with only 13 permissions. An application can quietly update itself in future, to grant itself access to further permissions within a group, with the user left none the wiser. Once an app is granted an individual permission within a group, that application has the ability to add any other permissions from the group in a future update, without users being notified of the change. To quote Google: You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted. For example, contacts and calendar permissions are now grouped into one. An app with the ability to read your contacts could, without you receiving clear and prominent notices, add calendar permissions to the group. This would allow the application full access to snoop through your calendar, and even send Emails to calendar appointment guests, without your consent. Likewise, the “Phone” permissions group allows access to directly call phone numbers, which is useful in a variety of different contexts. However, it also contains permissions to read and write call logs, reroute your outgoing calls to different destinations, and make calls without your intervention. Google also made the decision that users shouldn’t necessarily be aware if applications have access to the Internet, so this permission is now hidden under “other,” meaning that by default, users won’t see it. Their rationale is that most apps use Internet access, and therefore users don’t need to know. Funnily enough, one of the best ways to actually protect your privacy is to prevent apps from communicating with the Internet. After all, if an app cannot send home the data it gathers about you, you are quite well protected. Obviously there’s more than one way to skin a cat, but if users want to be safe, they need to have information about whether or not an application uses the Internet. Thus, Internet access to apps should not be a given, in this day and age of privacy concerns. This shows that Google is out of touch with user privacy, once again. So what can we do about this? For now, the best thing to do is ensure you disable automatic updates for apps, and carefully and diligently review the permissions requested by expanding all of the categories. You could also consider using an app that lists the individual permissions used by each application. ... -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
