Well, that's a little disturbing. :-/ I didn't think that I could actually trust my Android mobile phone less... congratulations, Google.
- ferg On 6/11/2014 5:33 AM, Jeffrey Walton wrote: > http://www.xda-developers.com/android/play-store-permissions-change-opens-door-to-rogue-apps/ > > XDA is normally about the latest and greatest. Whether we’re talking > about the latest firmware revision or device, most people in the > Android tech community favor being on the bleeding edge. Sometimes, > however, the latest isn’t necessarily the greatest or the best way > forward. As we recently covered here on the XDA Portal, Google > released a new version of the Play Store, which among other things, > allows the use of PayPal to purchase apps and simplifies the > permissions interface shown to users. > > Under this happy facade, however, is a somewhat more sinister change. > The permissions system in Android, which has protected users since > Android hit consumer devices in 2008, was significantly (and fairly > quietly) watered down by Google in this Play Store update. Previously, > when an application update requested additional permissions, users > would be notified and have to accept the change before updating. This > continued when automatic updates were introduced, as applications with > permission changes would require a manual update and approval of the > new permissions. > > This system worked fairly well. If an app changed its permission > needs, you’d be notified, and could choose whether to accept the > update. With the most recent Play Store update, however, users are not > told about certain permission changes if they don’t result in the > addition of permissions to a new group. Given the sheer breadth of > permissions a group now covers, this effectively leaves Android with > only 13 permissions. An application can quietly update itself in > future, to grant itself access to further permissions within a group, > with the user left none the wiser. > > Once an app is granted an individual permission within a group, that > application has the ability to add any other permissions from the > group in a future update, without users being notified of the change. > To quote Google: > > You won’t need to manually approve individual permissions > updates that belong to a permissions group you’ve already > accepted. > > For example, contacts and calendar permissions are now grouped into > one. An app with the ability to read your contacts could, without you > receiving clear and prominent notices, add calendar permissions to the > group. This would allow the application full access to snoop through > your calendar, and even send Emails to calendar appointment guests, > without your consent. > ... > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
