Tuesday, May 20, 2014

A Guide To Understanding Android App Permissions (& How To Manage Them)

Apps dominate our usage of smartphones and while Apple’s App Store has stringent criteria for apps to get in, Google’s Play Store is relatively more lenient. As an Android app user, you should be aware of the type of data the apps you use are taking from you.

On top of that, you will need to start reading up on the "permission slips" you have been giving apps that you download to your phone, or risk opening yourself up to major privacy and security issues.

App Ops

In this guide, we will be highlighting some of the app permissions you need to pay more attention to, and which are valid permissions that apps are obligated to ask for.

With a bit of vigilance, it’s entirely possible to minimize risks by learning how to better manage your app permissions (and to revoke them if necessary). Here’s a look into Android app permissions and what to do about them.

What Are App Permissions?

First things first, Android app permissions aren’t requests, they’re declarations. Unless you’re rooted, you have no say â€" short of choosing to not install the app â€" in whether the app will receive all the permissions it requires.

When you install an app from the Play Store, you’ll get a pop up listing all the permissions that the app requires, things like access to your storage, phone calls, network communciation etc. Read through this list.

Play Store Permissions

It’s all too easy to treat the permissions list like an EULA (which nobody ever reads) but skipping over these permissions could mean the difference between having your data securely on your device or having all of it at the fingertips of unscrupulous app developers.

5 Permissions You Should Be Wary Of

There are a few permissions that you should be wary of, not because they’re necessarily dangerous, but because there could be wide-ranging repercussions if data from these permissions were to fall into the wrong hands. Note that these aren’t the only permissions you should worry about â€" it’s a start.

If you want to know more, check out the list and discussion of Android app permissions by AndroidForums.com user Alostpacket. There’s also a detailed list of permissions on the official Android Developers page. Most of the recapped information here comes from both resources.

1. Location

There are two types of location permissions that Android applications can require: "approximate location (network-based)" and "precise location (GPS and network-based)".

Location

What would apps need my precise location for? Well, navigation apps like Waze will require such information to work. Similarly social media applications want to include your location in photos and uploads. Crucially, applications which implement location-based advertising will also need access to such information. It’s just one of the many sacrifices you have to make when using a free, ad-supported app.

2. Phone Status And Identity

This is a bit of a problematic permission, because "read phone status and identity" encompasses everything from something as innocuous as needing to know when a phone call is coming in, to having access to crucially important data such as your device’s IMEI number.

Read Phone Status And Identity

While this permission is often safe, the potential for wrongdoing is huge, so do exercise caution when apps require this permission. If there doesn’t seem to be any real reason for the app to require this permission, it might be a good thing to think twice before installing it.

3. Read And Modify Your Contacts

These permission to "Modify your contacts, read your contacts" gives an app unfettered access to your contacts’ data. While both can be problematic, the "modify" permission is especially dangerous since it would let an app read all the contact information you have on your phone. This includes how often you communicate with particular contacts.

Read And Modify Your Contacts

SMS apps, contact management apps, dialer replacement apps and even some social media apps will need one or both of these applications, but apps without any social aspect to them have on reason to require this.

4. SMS And MMS-Related Permissions

These permissions could potentially cost you a lot of money, if malicious apps use these permissions to send illegitimate SMSes or tack on extra charges onto each SMS and MMS you send.

SMS Related Permissions

The "read your text messages" and "receive text messages permissions" can also potentially result in your privacy being compromised. If there’s no real reason for an app to require these permissions, avoid it.

However, there are perfectly valid reasons an app would require these permissions, especially if it’s an SMS app. Again, a bit of reasoning should save you from having to deal with any issues related to this permission.

5. Account-Related Permissions

"Find accounts on the device" lets the app check with Android’s built in Account Manager on whether you have any accounts on services such as Google, Facebook and so on.

"Use accounts on the device" lets the app ask for permission to use the account. Once this permission is granted, the app won’t have to request it again; the concern, of course, comes if the app is malicious and continues to do things in the background in your name.

Account-Related Permissions

Another related permission to watch out for is "create accounts and set passwords", which lets the app authenticate credentials. A malicious app can take advantage of this permission to get your password by phishing you.

Ways To Stay Safe

There are a few things you can do to stay on top of app security.

1. The best way to stay safe is not to immediately avoid any apps that require problematic permissions but instead, to look at the app itself and use reasoning to figure out whether the app really requires these permissions.

2. You can also send an email to the developer asking about the permissions. If the reply isn’t satisfactory, or if you don’t get a reply at all, then you should most probably give the app a miss.

3. You should also take advantage of the huge Android community if you’re unsure about the security of a particular app. Read reviews on the Play Store and check forums and Android-centric news sites to see if there have been any complaints about the app recently. It’s a bit of work, sure, but better be safe than sorry.

Managing App Permissions

If you’ve let apps have access to any of your accounts such as Facebook or Google, it’d be a good idea to go to your account settings and manage your account permissions, if the website has such a feature.

Google Account Permissions

You can also check what permissions certain apps have by going into Settings > Apps. Just select an app and scroll down to see the permissions it has.

Permissions Manager Apps

You can also use an app such as Permission Explorer, which lets you filter by categories, apps and permissions, and can give you a much more detailed breakdown of the permissions granted to the app. Other similar apps you can try are Permissions Observatory and App Permissions.

App Info And Permission Explorer

Regardless of the app you choose, spending some time going through the permissions of apps currently installed on your Android device should help you establish whether there are any apps with problematic permissions that need to be revoked or perhaps even uninstalled entirely.

Revoking App Permissions

Once you’ve found some offending apps, it’s time to decide on a course of action. There’s currently no built-in way to manage app permissions in the latest version of Android, since Google chose to remove the AppOps feature from Android 4.4.2.

However, if you’re still running Android 4.3, it wouldn’t hurt to give AppOps a go to see if it helps you access the built-in permissions manager.

App Ops

If you’re running stock, unrooted 4.4.2 (or a version prior to 4.3), you’re pretty much out of luck when it comes to revoking app permissions short of completely uninstalling the application. However, if you are rooted, then you have a few more options.

Permissions Manager Apps (Rooted)

If you have the Xposed Framework installed, you can give XPrivacy a go. XPrivacy is one of the best permissions manager applications available, letting you tweak, block and revoke almost every permission an app might require. You can also use the XPrivacy Installer to help you install both Xposed Framework and XPrivacy itself.

XPrivacy

If you’re willing to install a completely new ROM, or plan to do so anyway, there are also certain custom ROMs that come with permission management features built-in.

The popular CyanogenMod has a Privacy Guard feature which, as of last year, comes with Android 4.3′s AppOps integrated into it. Other ROMs such as Purity ROM also have a similar feature.

CyanogenMod Privacy Guard

Conclusion

It’s hard to deny that, by default at least, Android’s privacy and security settings are a bit lacking. Between occasionally confusing permission names, to an inability to selectively grant permissions, this is definitely something that Android should work on.

However, even with these issues, it’s still entirely possible to stay on top of things and ensure the security of your data by being vigilant about the apps you install and the permissions that these apps require. After all, it’s your data on your phone â€" you have control.

No comments:

Post a Comment