Checking App Permissions Is Your Best Protection On Android

The open nature of the Android market has one large disadvantage: apps that conceal unwanted and malicious functionality don't get checked before they're launched to the world. There are plenty of commercial Android security solutions, but you can ward off many potential issues simply by bothering to check the permissions on the app before installing.

At the Bitdefender press launch I attended last week in Bucharest, there was a demonstration of how easy it is to inject malicious code — designed to capture user information direct from the handset — into any existing Android package (APK). That has led to a rapid growth of malicious code. "We've seen since the beginning of 2011 a 900% increase in malware families, and a 2000% increase if variants are included," researcher Alexandru Balan said. "Android malware exists and it has exploded."

Balan also gave a concrete example of how unexpected functionality conceals itself. There's an app on the market called Flashlight No Ads, which presents itself as a simple flashlight/torch application. However, the permissions are somewhat more extreme (click for a larger version):

While there might be an argument for a flashlight app to access the camera (many use the camera's flash function to provide extra light), there is no logical reason for it to read your phone state, create network sockets or modify global system settings.

In practice, this app actually grabs user details include your carrier, phone number and email address, and automatically connects you to an ad server three hours after installation. You won't be able to tell that from the permissions, but the mere fact that a simple flashlight app is demanding so much should give anyone pause for thought. It's all too easy to click through the permissions screen when installing, but spending that time will definitely help you avoid some obvious hassles.

Angus Kidman travelled to Bucharest as a guest of Bitdefender.


Comments

    The problem with this whole Android concept of the user stopping to read (and understand!) scads of permissions and deciding then and there whether or not to install it is that only totally anally-retentive geeks do this (and even most of them soon grow bored with it and stop paying attention after a while, I know I did). It therefore provides no real security at all. It's exactly like the Windows installer permissions dialog, everyone just hits yes and lets it do whatever dude.

    Real people, non-geek, non-programmer people (i.e. 99.5% of the potential customer base), have no idea what all this stuff means and don't want to know. They just want something that works and allows them to install neat apps for flashlights or Facebook or angry life-form games that doesn't risk installing a virus or privacy-stealing malware. They want their phones to be as simple and straightforward to use as their toaster, dishwasher or TV. They want their phones to enhance their lives, not be something they have to fiddle with and worry about. They don't want another PITA like their PCs.

    After all these years we should have realised that people won't change to suit computers (and their programmers), the computers have to change to accommodate the users.

      I totally agree with you, but have a different angle on the idea.

      If people want the phone that just works and doesn't require to much thought or messing around with setting and stuff, there is a phone for that. The iPhone. ( not plugging or raging on the iPhone, just observing that it is a lot simpler and clean compared to android, with more limitations on how hard you can mess with it without really trying)

      Most of the people I know went android because of reasons like:
      "way more free apps"
      "can do heaps more than iPhone, can actually change whatever I want"

      Why do people assume that more things for free will actually come with no trade off? And how could you think being able to mess with more settings would mean no change in stability n stuff.

      Free apps cuz anyone can publish, including people who only want to cause harm. It's obvious.

      People who fall victim to this sort of thing will have to take some responsibility for it, as there are very clear easy to understand warnings about what any app can do.

      It's like when pedestrians intentionally cross hazard tape with the do not enter sign to take a shortcut through a construction site, get hurt and want to point a finger at someone else. ( the warning was there, but they felt like its mustn't apply to them)

      Or the person who gets hit by a car for crossing on the red don't walk light. Warning was there, but it was obviously just for everyone else's benefit.

      If you can't wrap your head around what " this app has the ability to change settings on your phone, see who you are calling, and send SMS messages" means, you simply arnt smart enough to be alowed a tool as powerful as one running android or similar.

      Between vigilance, common sence, and as a last resort the acquisition of defense software, one can be protected from this sort of problem. If someone intentionally avoids using all three, how are they less that totally responsible for the virus?

    This is why parts of Cyanogenmod should be part of the main android release.
    The part I'm hinting at is the ability to remove these permissions from applications.

    Sure it's currently only for the Android enthusiast, but Google could add some nice buttons and pictures to help the normal people along.

    I don't understand the permissions (not geeky enough - correction; not tech geeky enough) so I just read the reviews. If there are a few that state that they've had problems, I don't go there.
    To make sure I'm not getting a glossy picture from the top 3 reviews or whatever,I scroll further down and read snippets throughout.

    Yeah reviews are a good indication, but a lot of the time people are none the wiser when they download it and usually only complain when the thing FCs on them.

    I agree reviewing permissions is a good way to go, but some permissions are a little vague for my liking. "Read phone state" can be any number of things.

    You should be able to drill down for more information (e.g. Can make calls but not answer them, can look at pictures of your contacts, but not their names etc.)

    I would prefer it if we would be allowed to REMOVE permissions from apps from the stock android. Obvious limitations would apply (for example, you may not be allowed to remove ads since that would prevent free apps from gaining revenue from them). But, most permissions should be allowed to be removed. If you have a flashlight app, you should be able to remove any permissions, ads aside, that don't have anything to do with turning the light on.

    Speaking of which, where can I find a flashlight app that doesn't have absurd permissions or ads? I don't mind paying a couple dollars. (I can't believe android doesn't have this feature built in)

Join the discussion!

Trending Stories Right Now