Android’s Permissions May Allow Devs To Silently Add Privileges

Google recently made a change to the way it handles permissions on the Play Store. Related permissions are now grouped together when you update. This makes it simpler to see what’s happening, but it has some potentially worrisome implications.

As Android Police explains, in the past, when Google would update apps via the Play Store, the user would be notified if any new permissions were added. Under the new system, a user will only be notified that there’s been a change if a new group is added. This also means that if you update apps automatically, permissions can be added without your knowledge:

The real problem becomes visible with app updates through the Play Store. When new permissions are added, there are no outwardly visible signs that anything has changed so long as no new categories are added. For example, an app that had already been authorised to read the call log can add permissions to make calls without intervention, and there will be no warning when it comes time to download the update. In the past, app updates clearly identified new permissions and prompted users to authorise each update before it could be downloaded.

This doesn’t necessarily make everything a free-for-all. As stated, a permission has to be in an already-approved group in order to be added. However, there doesn’t seem to be much in the way of risk prioritisation. You can read more about the implications of this change at Android Police’s rundown below. As always be sure to read and research permissions thoroughly before installing or updating an app you’re not sure you trust.

Simplified Permissions UI In The Play Store Could Allow Malicious Developers To Silently Add Permissions [Android Police]