Android’s Control Issue: The Problem With Permissions
It should come as no surprise to anyone who’s visited in the last few years: I’m an Android fan. Notice I said “fan”, not “fan boy”. There’s a difference. Instead of following blindly along, espousing that Android can “do no wrong”, I’ve been critical when shortcomings have arisen. I’ve been upset when Google doesn’t get things right. I’ve been vocal.
The other side of that coin is that I subscribe to the notion that Android represents the best choice in smartphone and tablet technology, and is likely the most robust of any mobile operating system available today. Android offers the ultimate in freedom and flexibility.
You, as an end-user, can select which hardware best suits your needs, which features are a requirement versus a “want”, and can even choose a custom ROM to run on whatever hardware you decide upon.
For OEMs the options are much greater! OEMs can take Android apart, slap a new skin on it, replace built-in features, functionality, and apps, and create an entirely customized version of the operating system to include on their devices. The possibilities are truly staggering.
End users, regardless of OEM or carrier, can install any of hundreds-of-thousands of apps from Google’s Play Store, Amazon’s Appstore, or any one of several other market places. Users can even side-load apps, bypassing a “store” completely.
That’s what can get you into trouble
No, I’m not talking about side-loading apps, I’m talking about installing apps in general! Android, unlike most other mobile operating systems, doesn’t hide what apps want to do from you. Rather, Android presents this information to you. How easy that information is to read and understand is arguable, but they show you nonetheless.
Unfortunately, most users don’t take the time to look at the permissions an app is asking for, they just “next” right through the dialogs until the app is installed. Hopefully they didn’t just accept something malicious — but if they did, they said it was okay, right?
To combat this “permissions apathy” Google has updated the permissions screen to be more descriptive and to call out when an app might cost you money.
There are still a lot of permissions, and one app may legitimately ask for permissions where another may not legitimately require them. It’s a fine line, and it requires you, the end-user, to pause and use your brain.
Questions you should ask yourself include, but are not limited to:
- Is this app from a trustworthy developer? Do I know who wrote it? Do the ratings and reviews warn me about anything? Does the app look like malware?
- Why does this app need all these permissions? Do I understand what the app does? Are the permissions that it’s asking for what I’d expect from an app of this type?
- Does the developer explain why they need the permissions their app is asking for? If not, why?
What kind of permissions might an app request?
Directly call phone numbers & Send SMS messages: These are pretty much what they sound like. By installing an app asking for this permission, you’re giving the app the ability to make phone calls or send texts. If you’re using Skype or some other communications app, that’s probably okay. If a wallpaper or game is asking, it’s probably a red flag.
Modify or delete USB storage: Any app asking for this permission can read, edit, and delete your data. If the app saves stuff (pictures, ringtones, etc.) to your device, this permission is probably okay. If the app also asks for Internet access, the app can theoretically upload any of your user files to some website in Kalamazoo.
Read and change my contacts: Ironically, apps with this permission can read and change your contacts. All joking aside, this, again, could be completely appropriate in a communications-type app — but completely out-of-line in something like a ringtone-app.
Read sensitive log data: Anything that says it’s “sensitive” should be a tip-off. This permission allows an app to read log data from other apps. Other apps may store usernames and passwords in them — in plain text. Be careful with this one.
Read phone state and identity: This permission should really be broken into two, but it’s not — not yet anyway. The ability for an app to read your phone state will let it pause your music or movie (for example) when a call comes in. The “identity” part lets the app read your IMEI and IMSI numbers — uniquely identifying bits of information that could be used to track you.
Fine GPS Location & Coarse Network-based Location: These permissions let apps know where you are. The former can identify your location within several feet, the latter within a block or so. Both are perfectly legitimate when the app in question is a mapping utility. If the app has nothing to do with geo-location, it’s probably reporting where you are to an ad server somewhere.
The list goes on
This list is in no way exhaustive. I could go on with another dozen-or-so permissions, but I won’t. Why not? You can read all about the permissions an app is requesting when you install it, all you have to do is read what it’s asking!
If you really want to know more about app permissions, Google has put together a very comprehensive set of documents on the subject. App developers are advised to request only the permissions that are absolutely necessary to make their app work — no more!
The problem with permissions it that Android is trusting that you’ll read and understand what apps are asking for, and are intelligent enough to decide whether or not that’s something you want the app in question to be able to do.
So the next time you’re installing an app, pause for a moment to read through that list of permissions. If you don’t know what something means, do a little research. You can even email the app developer asking why they need a certain permission. They’ll probably get right back to you and calm any fears that you may have.
What about you?
Do you have a horror story of an app that had too much access? What did it do? What could Android have done better to warn you before you installed it?
Have you come across an app asking for an unusual set of permissions that turned out to be completely legitimate? Let us know in the comments!