Well, that's a little disturbing. :-/

I didn't think that I could actually trust my Android mobile phone
less... congratulations, Google.

- ferg


On 6/11/2014 5:33 AM, Jeffrey Walton wrote:

> http://www.xda-developers.com/android/play-store-permissions-change-opens-door-to-rogue-apps/
> 
> XDA is normally about the latest and greatest. Whether we’re talking
> about the latest firmware revision or device, most people in the
> Android tech community favor being on the bleeding edge. Sometimes,
> however, the latest isn’t necessarily the greatest or the best way
> forward. As we recently covered here on the XDA Portal, Google
> released a new version of the Play Store, which among other things,
> allows the use of PayPal to purchase apps and simplifies the
> permissions interface shown to users.
> 
> Under this happy facade, however, is a somewhat more sinister change.
> The permissions system in Android, which has protected users since
> Android hit consumer devices in 2008, was significantly (and fairly
> quietly) watered down by Google in this Play Store update. Previously,
> when an application update requested additional permissions, users
> would be notified and have to accept the change before updating. This
> continued when automatic updates were introduced, as applications with
> permission changes would require a manual update and approval of the
> new permissions.
> 
> This system worked fairly well. If an app changed its permission
> needs, you’d be notified, and could choose whether to accept the
> update. With the most recent Play Store update, however, users are not
> told about certain permission changes if they don’t result in the
> addition of permissions to a new group. Given the sheer breadth of
> permissions a group now covers, this effectively leaves Android with
> only 13 permissions. An application can quietly update itself in
> future, to grant itself access to further permissions within a group,
> with the user left none the wiser.
> 
> Once an app is granted an individual permission within a group, that
> application has the ability to add any other permissions from the
> group in a future update, without users being notified of the change.
> To quote Google:
> 
>     You won’t need to manually approve individual permissions
>     updates that belong to a permissions group you’ve already
>     accepted.
> 
> For example, contacts and calendar permissions are now grouped into
> one. An app with the ability to read your contacts could, without you
> receiving clear and prominent notices, add calendar permissions to the
> group. This would allow the application full access to snoop through
> your calendar, and even send Emails to calendar appointment guests,
> without your consent.
> ...
> 
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
> 


-- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Reply via email to