-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Android permissions explained, security tips, and avoiding malware
- Thread starter alostpacket
- Start date
Wow!!!!!!
Nope, I've never seen that before!I was flustered at first to see that my phone had sucked in the email addresses of everyone I'd ever gmailed to populate my contacts. Now I understand that Google sees my phone as simply an extension of my "Google experience".
I guess if I want to use my phone as a stand-alone device that connects to services, vice as a mobile and personal portal into the world of Android/Google services, I have to go root. *sigh*
Ed
Petrah
Psychotic Female
Omg, you are SO awesome! I had all of my app purchases in a folder in my Gmail, and somehow accidentally deleted them all the other day. Now I can see all of my app purchases from the Market right there and now have proof of purchase again.
THANK YOU!
Petrah
Psychotic Female
Wow!!!!!!
I was flustered at first to see that my phone had sucked in the email addresses of everyone I'd ever gmailed to populate my contacts. Now I understand that Google sees my phone as simply an extension of my "Google experience".
I guess if I want to use my phone as a stand-alone device that connects to services, vice as a mobile and personal portal into the world of Android/Google services, I have to go root. *sigh*
Ed
Google is Android, which is why their apps are so deeply tied to their Android OS. Not sure how you would go about removing them while rooted, but I know a few of those apps are already removed in some custom roms.
As for the emails addresses getting auto added to your contact list, there's a setting for that somewhere in the settings online if you log in with your PC.
alostpacket
Over Macho Grande?
That really is a useful and informative link, even if, in my opinion, not really scary. It's nice to see a ad company show you what they track instead of hiding that info away from you.
Granted there is more info than they show there but that would likely be related to trying to qualify the data you see there. ie. if you visit gaming sites, they may have stored in a DB somewhere "gamer"
Either way, thanks for the link
Are there ANY ways to remove the bloatware? I have CC cleaner and other removal programs I used to get rid of a LOT of junk my PC's have come with. Is there nothing similar for Android? The phone I wanted may not be sold unlocked for quite a while, and my Winmob 6.1 phone WAS unlocked and it still has a bunch of junk I wish it didn't have!
Thanks!
Roze
Hiding behind a mystery
You would need to root your phone and freeze or uninstall your app. Freeze as you'd need those apps again if you want to get your carrier's updates. Read first on what rooting entails as it's not for everyone. Also note that rooting voids your warranty.
I use Titanium Backup but there are others.
Hey,
I'm still worrying over whether or not to download the Facebook for Android app, given the mammoth list of permissions it asks for (aside from all the negative ratings in the market, which is another issue). But I haven't found a replacement that seems to want any less control, and since facebook already has much of my information, I'd rather let them keep it that provide to yet another entity. But maybe I'm paranoid My question here is in regards to two specific permissions listed for the app:
ACT AS AN ACCOUNT AUTHENTICATOR
Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.
MANAGE THE ACCOUNTS LIST
Allows an application to perform operations like adding, and removing accounts and deleting their password.
Both of these permissions deal with password controls, which seem to go beyond what was listed in the guide under 'manage accounts' and 'use credentials'. Am I just missing something? And would this theoretically allow the app to change my password on a different account without my knowledge? Or to use my password without my knowledge? Given that my google account is linked to my Google checkout account (to use the market), and ergo to my credit card, having another service have the ability to use that password without my knowledge would be akin to giving them free reign with my card... wouldn't it? (and I realize they would have to be pretty malicious, and facebook probably wouldn't be, but just play out the worst-case scenario with me here so I can understand what exactly I'm saying yes to).
Since I would imagine most people probably have some way of accessing their Twitter and Facebook accounts on their phones, how have others managed to do it in the safest way? Are there applications that people know of that require fewer permissions, or don't attempt to interact with other accounts? Why is it that I can't give an app (e.g. Facebook) the ability to manage my facebook account, but not the permission to manage my Google account?
Thanks!
I'm still worrying over whether or not to download the Facebook for Android app, given the mammoth list of permissions it asks for (aside from all the negative ratings in the market, which is another issue). But I haven't found a replacement that seems to want any less control, and since facebook already has much of my information, I'd rather let them keep it that provide to yet another entity. But maybe I'm paranoid
My question here is in regards to two specific permissions listed for the app:ACT AS AN ACCOUNT AUTHENTICATOR
Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.
MANAGE THE ACCOUNTS LIST
Allows an application to perform operations like adding, and removing accounts and deleting their password.
Both of these permissions deal with password controls, which seem to go beyond what was listed in the guide under 'manage accounts' and 'use credentials'. Am I just missing something? And would this theoretically allow the app to change my password on a different account without my knowledge? Or to use my password without my knowledge? Given that my google account is linked to my Google checkout account (to use the market), and ergo to my credit card, having another service have the ability to use that password without my knowledge would be akin to giving them free reign with my card... wouldn't it? (and I realize they would have to be pretty malicious, and facebook probably wouldn't be, but just play out the worst-case scenario with me here so I can understand what exactly I'm saying yes to
). Since I would imagine most people probably have some way of accessing their Twitter and Facebook accounts on their phones, how have others managed to do it in the safest way? Are there applications that people know of that require fewer permissions, or don't attempt to interact with other accounts? Why is it that I can't give an app (e.g. Facebook) the ability to manage my facebook account, but not the permission to manage my Google account?
Thanks!
alostpacket
Over Macho Grande?
A valid concern to be sure. I'm pretty sure those two permissions actually do what you are hoping they do. They mostly allow an app to manage what accounts are on the device, and create an account for their own app/service. But neither permission would give them access to your Google account. It sounds like they may be able to delete accounts, but not read the passwords, etc.
I wouldn't worry with facebook especially, as you know they aren't trying to steal passwords They might have some huge privacy problems but that isn't one of them
I'll mark this in my todo to see if I can research and put forth a better explanation on "act as an account authenticator" but I'm pretty sure you can generally treat it like "manage accounts"
hope that helps,
-alp
I wouldn't worry with facebook especially, as you know they aren't trying to steal passwords
They might have some huge privacy problems but that isn't one of them I'll mark this in my todo to see if I can research and put forth a better explanation on "act as an account authenticator" but I'm pretty sure you can generally treat it like "manage accounts"
hope that helps,
-alp
Is there ANY permission out there that would give an app the ability to access your password for an account that wasn't part of that app? (i.e. in a situation where you didn't need to first manually supply your password and then somehow indicate it should save it for the future). Is there a permission that would give an app the ability to impersonate you through one of your existing apps on your phone? Or permissions limited to the services actually being conducted by the app?
I guess I'm a little unclear as to when I can expect to be given the opportunity to consent further later to providing an app greater access, and when I'm giving carte blanche just by installing it. For example, the ability to modify/delete contents from an SD card- if an app has that permission, does it mean it could do so at any time, or does it mean that it will have the ability if I ever click on a setting to "back up to SD card" or something similar. Or the billing permission- could an app ever use that without an intervening step where I said "yes, I'll buy X"? Or is that something that is not really a single answer (i.e. malicious apps probably no, trustworthy apps probably yes, and we're back to the beginning again....)
alostpacket
Over Macho Grande?
Impersonate maybe, but not access to the password itself. Android and google services are design in such a way as to allow apps to make use of your account without ever knowing the password. This is a great security feature actually. But you concern about impersonation is basically what they are warning you about, and why you should consider the warning carefully.
Accounts are not stored on the SD card, as the SD card is not a secure storage place. Accounts are only stored on internal encrypted storage.
As for the buying permission, I'm not sure but I am sure they launched it with some type of "confirmation step" protection.
They are also adding a PIN so you can lock out your Google Checkout account unless the PIN is entered. Although that may be in the next version of the market, I'm not sure.
I'll add this to my todo list as well. I've been working on the tablet app of PocketPermissions so I havent had time to do as much research for it. But I hope to be done with the tablet version by the end of next week. So will update all the guides and app with new info after that is completed.
Also, yes, if an app has the modify/delete SD card permissions it means it can do so at any time without confirmation.
Very few permissions require an on-use confirmation. One I think is "use credentials" and another should be the billing permission. 98% of the time, when you grant a permission during installation, the app can use that permission whenever it wants. For most permissions this isnt a major problem, but it would be nice to see some more security here for sure.
hope that helps
That's great, thanks- though I'm not sure it makes me feel any more confident in putting anything on my phone! lol. Is there any way you know of to check to see if an app is doing just what it is expected to, or if it is abusing any of it's privileges? I'm not sure how that would be done, but it would be an awesome thing to behold- something that showed the last time an account was accessed, and by what program for example... a log of some sort?? (Or maybe it would be just as feasible to get my phone to do my laundry... )
)
alostpacket
Over Macho Grande?
That's great, thanks- though I'm not sure it makes me feel any more confident in putting anything on my phone! lol. Is there any way you know of to check to see if an app is doing just what it is expected to, or if it is abusing any of it's privileges? I'm not sure how that would be done, but it would be an awesome thing to behold- something that showed the last time an account was accessed, and by what program for example... a log of some sort?? (Or maybe it would be just as feasible to get my phone to do my laundry...
No logging that's readable from what I know. Certainly the OS itself keeps track of what it grants and denies, but this log is not readable/public from what I know.
I wish my phone would do laundry too! I am off to do some right now heh.
I'm using an antivirus app (Antivirus pro from avg mobilation) and i really don't know if this is necessary?
Can a virus infect my phone through the browser?
I don't surf for porn and i don't download anything through the browser. I watch youtube (from youtube app) browse news, forums and not much more than that. Twitter. Don't use Facebook app anymore. Seriously they need to chill with all the non-privacy thing they have going on.
Hoppe you can answer my question
Can a virus infect my phone through the browser?
I don't surf for porn and i don't download anything through the browser. I watch youtube (from youtube app) browse news, forums and not much more than that. Twitter. Don't use Facebook app anymore. Seriously they need to chill with all the non-privacy thing they have going on.
Hoppe you can answer my question
Roze
Hiding behind a mystery
I just use the internet browser for Facebook. Other than the FB chat, contact sync and instant notification, the internet FB site does all of the required FB (stream/wall/message/ul photos etc). I prefer the browser since FB is a huge bloatware and I don't use it as often (once a week) that makes me want to have the app on my phone.
This is a great post. I wish I had read it prior to downloading the malware app I installed yesterday.
Can anyone also post a list of 'things to do.' if you do unwittingly install a bad app.
Beside the Step 1. Uninstall.
Do you need to notify your cell phone company, change the phone number to not find additional charges on your account. I'm not sure what they can do with your data after the fact and the steps necessary to take if they do get your data to protect yourself.
And since it's a community. How can we protect others / remove the app to help out (e.g. rate it poorly, comment clearly and professionally with a reference to this webpage., inform google.
Thanks group.
Can anyone also post a list of 'things to do.' if you do unwittingly install a bad app.
Beside the Step 1. Uninstall.
Do you need to notify your cell phone company, change the phone number to not find additional charges on your account. I'm not sure what they can do with your data after the fact and the steps necessary to take if they do get your data to protect yourself.
And since it's a community. How can we protect others / remove the app to help out (e.g. rate it poorly, comment clearly and professionally with a reference to this webpage., inform google.
Thanks group.
alostpacket
Over Macho Grande?
These are some really good questions, thank you
. There is some information about how to rate and comment on apps in The Community section of the guide. However, I am going to add it to my (growing) TODO list to add a section about "what can users do in case of infection", or something similar.A couple quick points:
- To notify Google there is a "flag this app as inappropriate" function in the Market app and on the website. Anything you're pretty sure is Malware, you should flag. Google will investigate -- especially if multiple users flag an app.
- Of course uninstall is good. You might want to check the permissions to see what it had access to. Some things like changing your number with your carrier may not be needed unless it was truly nasty Malware. It can help to copy the permission list or write it down for when you will look up what they mean.
- Another thing you could do is come to these (or other) Android forums and start a thread asking about the app, and see if anyone else is having similar problems. As a community, often the best place to get help, is from the community
hope that helps!
yes choosing the right apps can help to keep you safe on android but lets not forget other safety measures such as the ones i wish i took now like not opening text or emails from unknow numbers as my phone now seems to have some sort of spyware on it and causing me problems and am still trying to get rid of it. spyware and malware is not just in apps its in messages and emails and not just links and attachments also in hacked google accounts as i think mine has been. we need to keep an eye out here people because it causes a nightmare when it happens and when i sort my phone i will be very very careful to the point i might try and block messages by unknown numbers if it is possible. lets make android safe again for all people because all in all android is a great os to use and lots of fun.
Greenish2011
Newbie
Great post. Thanks for the info.
Rico ANDROID
Android Expert
alostpacket
Over Macho Grande?
You make some good points, there are some additional ways people should be careful especially with SMS/MMS and email.
I think I will add it to my todo list to add a "general safety tips" section.
Thanks
yamafx4dude
Lurker
Im getting tv commercials in my library gallery with thumbnail pics saying the ad's are from TAPJOY. I should have read this post earlier, im guessing I gave permission to an ap to write to my SD card.