Android permissions explained, security tips, and avoiding malware

[Roze]

Any security apps warn you if you download any of the apps mentioned in this article? Symantec: Android Market having its largest malware infection ever - SlashGear

Here's the list of the apps that Symantec flagged:

The only iApps7 on the market is Heart Live Wallpaper. All of their other apps have been pulled by Google.

This is Heart Live Wallpaper permissions:

Spoiler

NETWORK COMMUNICATION
FULL INTERNET ACCESS
Allows an application to create network sockets. caused for concern of why app needs this permission. This isn't a plain access to the internet permisison
YOUR PERSONAL INFORMATION
WRITE BROWSER'S HISTORY AND BOOKMARKS
Allows an application to modify the Browser's history or bookmarks stored on your device. Malicious applications can use this to erase or modify your Browser's data.
caused for MAJOR concern of why app needs this permission. Serioulsy...I'd abort when I see this permisison. UNLESS IT'S A 3RD PARTY BROWSER OR A SHORTCUT APP. NO APP SHOULD REQUIRE YOUR BROWSER HISTORY!
READ BROWSER'S HISTORY AND BOOKMARKS
Allows the application to read all the URLs that the Browser has visited, and all of the Browser's bookmarks.
PHONE CALLS
READ PHONE STATE AND IDENTITY
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
Hide
NETWORK COMMUNICATION
VIEW WI-FI STATE caused for concern of why app needs this permission
Allows an application to view the information about the state of Wi-Fi. caused for concern of why app needs this permission
SYSTEM TOOLS
SET WALLPAPER
Allows the application to set the system wallpaper.
SET WALLPAPER SIZE HINTS
Allows the application to set the system wallpaper size hints.

Redmicaps apps are just PLAIN SUSPICIOUS. Any SEXY girl apps should NEVER be downloaded. This is where melwares are usually found :/ Permission is very similar to the wallpaper one. Only two of the 4 apps reported are on the market.

 

[Rico ANDROID]

Great alerting everyone! very detailed and apreciated!

 

[LateNiteMike]

Thanks for the original posting. As noted by many already, it's full of very useful information.
By the number of viewers to this posting it is quite obvious that many in the Android community are concerned about the types of issues mentioned. With more and more articles being written regarding security and security issues regarding Android apps, I think it's time to consider a way for all Android users to be able to alert other Android users of harmful and/or suspicious apps. Apps that are out there in the marketplace just waiting to snare the unaware and/or unsuspecting down-loaders.
So, with that said......
I would hereby like to suggest a new 'Sticky' (or another method) for making the Android community fully aware and easily notified of any and all apps that might be 'questionable'. By questionable I mean apps that have been known to include malware, spyware, or any type of known malicious activities after being downloaded to an Android device. This would include a way to denote a level of threat to your device, from a level Ten that is merely a battery burner, to a level One that would include malicious spyware/malware.
It would be a master listing of apps that have caused problems for those who have downloaded them along with a way to correlate the info. Info that could alert the Android community.

I realize that there are comments available to read with apps listed in the Market, and some info can be derived from the comments posted,....but I think it's time to have one main source available to every Android user that would be THE 'GoTo' listing for apps that are 'questionable' and that all of us should be aware of....before we downloaded them.
This is just something I think who's time has come, and this is just a basic conceptualization of an idea, but I think it is something that is needed now and probably needed even more as more apps hit the market.
So, wadda ya think??? Is this something worth considering? Something needed and useful to the entire Android community?
Any ideas or suggestions? How can we do this? What's the best format?

 

[rostad]

Hi. I just need to pour a load out as im getting pissed with this Android app system.

I noticed Android market now need to receive SMS and if I didnt want that I could just uninstall and then use the old version that came with the phone.

So I did exactly that... uninstalled the crap...but then discovered that first time you use market again - all of Googles apps has changed status to "allow automatic updates" (excl. sky map).... and futher more - after using market one time... it updates itself to the new version I didnt wanna use... automatically.

Seriously - Google maps need to call telephonenumbers? Android market needs to receive SMS? Facebook needs to read, edit, receive and send SMS/MMS

If any of you Google people read this - i swear my next phone dosnt use Android.

 

[Roze]

Sorry to hear about that rostad

Seriously - Google maps need to call telephonenumbers?

This is so you can directly call a place (restaurant/hotels/stores) directly from the map app.

 

[tcat007]

If you are rooted you can go back to an earlier Market and remove the updating. But yes, "most" permisions are so that an app can actually do what it advertizes. Apple apps do the same thing, as do PC apps... I wouldn't worry too much if it's popular with a decent rating.

 

[lunatic59]

Hi. I just need to pour a load out as im getting pissed with this Android app system.

I noticed Android market now need to receive SMS and if I didnt want that I could just uninstall and then use the old version that came with the phone.

I understand your frustration. Permissions can be a tough concept to wrap your head around in Android. It does make sense, though is you examine it closely.

So I did exactly that... uninstalled the crap...but then discovered that first time you use market again - all of Googles apps has changed status to "allow automatic updates" (excl. sky map).... and futher more - after using market one time... it updates itself to the new version I didnt wanna use... automatically.

Not only is there a setting to auto update each app individually, you can set a global default in the market. If you open the market and then go to menu>settings you need to turn it off there. Since doing that, none of my Google apps (or any others I don't want to behave that way) auto update.

Seriously - Google maps need to call telephonenumbers? Android market needs to receive SMS? Facebook needs to read, edit, receive and send SMS/MMS

If any of you Google people read this - i swear my next phone dosnt use Android.

Those apps use those services. Without the proper permissions, it wouldn't work as advertised. FWIW, Google is much more transparent about the permissions that each app uses. While it may be a good thing in the long run, it does tend to spook people when they see all these warnings when installing or updating an app. I assure you, other smart phone platforms behave the same way.

 

[rostad]

This is so you can directly call a place (restaurant/hotels/stores) directly from the map app.

So why cant I just install the update leaving the option for Google to call telephonenumbers off? I dont want the feature yet theres no way I can turn it off is there?

If you are rooted you can go back to an earlier Market and remove the updating. But yes, "most" permisions are so that an app can actually do what it advertizes. Apple apps do the same thing, as do PC apps... I wouldn't worry too much if it's popular with a decent rating.

Im not rooted and I dont want to. Getting to old to use hours and hours tweaking my phone.

Now - dont get me wrong here. It's not that I think Google is gonna make long distance calls using my phone - what i fear is that i sometime in the future will get some malicious software installed that will take advantage of the option.
And I dont want any program to do anything like that (or read/write/edit sms/mms messages either)

I understand your frustration. Permissions can be a tough concept to wrap your head around in Android. It does make sense, though is you examine it closely.

Not only is there a setting to auto update each app individually, you can set a global default in the market. If you open the market and then go to menu>settings you need to turn it off there. Since doing that, none of my Google apps (or any others I don't want to behave that way) auto update.

It should still be possible to turn off anything that could cost me money or could violate my privacy dont you think?

And just for the record. I have turned off the auto update in the market. But if you uninstall the android market and uses the version that came with the phone it will make Google programs auto update no matter what you want or select. And it will update itself after u uses it the first time.

So these apps dosnt really work the way they where intended and that just confirm that I should be worried.

 

[alostpacket]

So why cant I just install the update leaving the option for Google to call telephonenumbers off? I dont want the feature yet theres no way I can turn it off is there?

The default behavoir of Google Maps is that it doesnt call numbers. The permission is for a feature they have yet to implment. All it does is open the dialer and enter the number for you, you still have to hit the call button. Any app could do that, -- it doesnt require a permission.

Now - dont get me wrong here. It's not that I think Google is gonna make long distance calls using my phone - what i fear is that i sometime in the future will get some malicious software installed that will take advantage of the option.

This, for all intents and purposes, is not possible. Malicious apps can't "steal" the permissions of Google apps.

And I dont want any program to do anything like that (or read/write/edit sms/mms messages either)

The Market has a receive SMS feature most likely as a security precaution. This is actually probably only used to receive purchase receipts regarding billing, or as a kill switch for malicious apps if discovered (Google has only used the kill switch once)

It should still be possible to turn off anything that could cost me money or could violate my privacy dont you think?

Depends upon what you mean by violate your privacy. The app system doesnt allow for user to turn on or off permissions as they see fit. This has both pros and cons and is a long topic in and of itself.

However, you can opt out of Google's data collection and ad targeting.

And just for the record. I have turned off the auto update in the market. But if you uninstall the android market and uses the version that came with the phone it will make Google programs auto update no matter what you want or select. And it will update itself after u uses it the first time.

So these apps dosnt really work the way they where intended and that just confirm that I should be worried.

The Market is the one app that deals with money and saving people's credit card data and other such sensitive and secure actions, leaving auto-update on is a must.

However I have never had a problem turning off auto-update on any other app (with the exception of a strange game that they have since fixed).


Anyways, I can't speak for Facebook, but Google apps are the safest around, and the concerns you expressed, while always diligent to ask about, aren't anything to actually worry about with regards to Google's apps.

Anyways, I hope that helps alleviate your worries -- I can understand where your coming from, but can assure you in these cases (with the exception of facebook) that you need not worry.

the gears under the hood are very safe

 

[lunatic59]

And just for the record. I have turned off the auto update in the market. But if you uninstall the android market and uses the version that came with the phone it will make Google programs auto update no matter what you want or select. And it will update itself after u uses it the first time.

So these apps dosnt really work the way they where intended and that just confirm that I should be worried.

As alostpacket explained, the Market app is the exception for auto updates. If you uninstall the Market and then reinstall it, you will reinstall it with all its defaults and that means auto update will be the default app setting. It's not surprising then that the Google apps will be set to auto update after you've turned them off. If you disable the default auto update settings in the market app, and then turn it off for each Google app, I assure you, they won't auto update. You can even turn off notifications in the market so you'll never see another update notification if you'd like.

The Market has a receive SMS feature most likely as a security precaution. This is actually probably only used to receive purchase receipts regarding billing, or as a kill switch for malicious apps if discovered (Google has only used the kill switch once)

It can also be used for apps that require authentication beyond the market. The Paid versions of some office suites require a product key as well as market authentication which they send by sms.

 

[rostad]

As alostpacket explained, the Market app is the exception for auto updates. If you uninstall the Market and then reinstall it, you will reinstall it with all its defaults and that means auto update will be the default app setting. It's not surprising then that the Google apps will be set to auto update after you've turned them off. If you disable the default auto update settings in the market app, and then turn it off for each Google app, I assure you, they won't auto update. You can even turn off notifications in the market so you'll never see another update notification if you'd like.
.

Ive had my fun with computers since 1989 and ive seen and heard all kind of people assuring me that this and that cant be done. Im even more worried now when people starts to ensure me theres nothing to worry about because its 100% safe. Theres no such thing as 100% safe

So Im saying once again. I dont uninstall and re-install the market app - im simply deleting the updates and returning to the basic version of android market that came with my phone. It then turns all the Google apps to auto update without my approvel. It then updates itself. And after it updates itself to the newst version - the auto update = off is still there.

Theres no way i can prevent that yet you keep telling me i shouldnt be worried because everything is under control?

 

[scheri]

I found this very informative. Thank you.

 

[lunatic59]

Ive had my fun with computers since 1989 and ive seen and heard all kind of people assuring me that this and that cant be done. Im even more worried now when people starts to ensure me theres nothing to worry about because its 100% safe. Theres no such thing as 100% safe

There are a great many members here who have a good deal of experience with technology. We have developers, IT professionals and communications specialist who frequent these forums and some are staff. We are not saying that Android in general or the Market's behaviors are 100% safe. What we are saying is that they are reasonably safe and, as long as you understand the principles and act accordingly, you are at no greater risk than any other mobile platform. 100% safe would be to not use any modern communications technology, which is eminently impractical.

So Im saying once again. I dont uninstall and re-install the market app - im simply deleting the updates and returning to the basic version of android market that came with my phone. It then turns all the Google apps to auto update without my approvel. It then updates itself. And after it updates itself to the newst version - the auto update = off is still there.

Theres no way i can prevent that yet you keep telling me i shouldnt be worried because everything is under control?

I understand now what you are doing. I do not know exactly what the specifics of a rollback do, but it may restore original/default preferences for the apps, since the auto update feature was not part of earlier versions of the market app. You will have to check with Google's developers to find out specifically gets restored when you uninstall updates.

The market is designed to auto update for the reasons explained. There are ways to prevent it, but I personally don't know what they are. The rooting community will, however, since some custom roms might break with a market update. I don't think you should be worried about the permissions you listed, or the behaviors you described. They are reasonable and normal.

 

[humpity]

And let's not forget, Google's own apps (e.g gmail) can get to all your phone's contact data, i.e all your private telephone numbers and contact info. What they use it for is anyone's guess.
Yep, you agreed to that the first day you used android.

 

[Roze]

And let's not forget, Google's own apps (e.g gmail) can get to all your phone's contact data, i.e all your private telephone numbers and contact info. What they use it for is anyone's guess.
Yep, you agreed to that the first day you used android.

Your Gmail IS your Google account. Google has the option that allows you to sync you contact to your google account. If you don't want Google to know anything about you, then don't put a Google account in (i.e. gmail), don't sync your contact with Facebook (contact avatar) or Gmail (contact phone number and info), don't sync with Calendar or anything Google related. You have the option to NOT use the Google products. If you aren't going to be using anything Google related...then why would you want an Android? Android gives you the ease of access to all of the data that you have ALREADY stored in the various Google products.

 

[tcat007]

Yes, you just have to "trust" Google... if you look at your Dashboard https://www.google.com/dashboard/ they store just about every move you make. But switching to Gmail for all my personal and business accounts is the best thing I did 2 years ago. No more "lost" emails and such easy access to anything anywhere... yeah a bit scary if Google gets hacked very badly. But no more so (actually less so) than if your bank get hacked.

 

[RoseRodent]

Can anyone clarify for me the position with stock apps on non-rooted phones? I have an app I don't want and don't use on my phone and have never agreed to any permissions. I got fed up with it constantly coming up saying I had an update available that I thought what the hey, I'll just install the update and be done with it, it's a small update. So then it comes up with a monster list of permissions, 50% of which are not at all necessary to the function of the app (GPS location requested for a sound recording app). I say no to the update, but it makes me wonder if since the app is already there on my phone from stock did I somehow agree to give this app all those permissions anway as part of the Google Terms of Service? I didn't spot it in there, but I didn't read every single word. Will an app provided with a new phone that you didn't ask for have all the permissions set as accepted anyway? Cheers.

 

[Chiragi Vyas]

nice info..useful made me aware of the threats that can harm my phone..; good work..keep updating...

 

[tomboy257]

Okay I'm a newbie....When I download or update an app and go to permissions and it gives an explanation of the permission then at the botttom it has "ok'. Does that mean I automatically give it permission when I download the app or must i ckick it to give or revoke permission?

 

[alostpacket]

Okay I'm a newbie....When I download or update an app and go to permissions and it gives an explanation of the permission then at the botttom it has "ok'. Does that mean I automatically give it permission when I download the app or must i ckick it to give or revoke permission?

When you download and install is when you agree to the permissions. Once installed, apps generally* do not need to re-request permissions


*only a very few (one, I think) related to your Google Account gets re-requested on first use.

 

[tomboy257]

Thanks...I've read your description of the various permissions and also wonder if some of them aren't kinda leagal ways of saying " we warned you this might happen" should you get a infection or hacked?

 

[Roze]

Can anyone clarify for me the position with stock apps on non-rooted phones? I have an app I don't want and don't use on my phone and have never agreed to any permissions. I got fed up with it constantly coming up saying I had an update available that I thought what the hey, I'll just install the update and be done with it, it's a small update. So then it comes up with a monster list of permissions, 50% of which are not at all necessary to the function of the app (GPS location requested for a sound recording app). I say no to the update, but it makes me wonder if since the app is already there on my phone from stock did I somehow agree to give this app all those permissions anway as part of the Google Terms of Service? I didn't spot it in there, but I didn't read every single word. Will an app provided with a new phone that you didn't ask for have all the permissions set as accepted anyway? Cheers.

What stock apps are you referring to? Any app that is installed on your phone, have already been granted permissions. It's a condition for being installed. Sucks when you don't want the app but there's nothing you can do unless you root your phone to uninstall those stock apps. What phone do you have? Vanilla Android is pretty bare bone when it comes to pre-installed apps. As you mentioned a recorder app, I would say that it's an OEM's UI overlay (Sense, TouchWiz, MotoBlurr etc).

Thanks...I've read your description of the various permissions and also wonder if some of them aren't kinda leagal ways of saying " we warned you this might happen" should you get a infection or hacked?

Unless it's a stock app, all apps that you install, do so with caution and good judgement. If you don't trust a permission that an app need, then don't install it. Contact the developer to get more information on why those permissions are needed. Is the developer's response sufficient for you? If not, go look elsewhere. There are tones of similar apps with just as good reviews out there. As an Android user, you're given full control and discretion of what gets installed on your phone. In the end, you are responsible for your own action and what you installed.

 

[alostpacket]

Thanks...I've read your description of the various permissions and also wonder if some of them aren't kinda leagal ways of saying " we warned you this might happen" should you get a infection or hacked?

I've never gotten that impression from permissions, and to be honest I'm a bit surprised to even hear it. Though I see what you're saying. Think about it this way though:

Everything is about context.

These are safeguards put in place to help you decide what to download. Only you can protect yourself. In all things, not just software.

The Internet doesn't have these safeguards. The postal mail in the US doesnt have permissions preventing scam artists from sending you a letter. Your phone company doesnt stop fake phishing calls.

The Android Market is a bit chaotic and wild - but that's part of what makes it great. But if users are going to ignore that an app called "Super Happy Fun Bikini Dance Game" wants a dozen permissions, then what can anyone do?

Additionally, this type of "permission" system is relatively new. But it's a big step in the right direction.

Windows and OSX didn't traditionally have permissions. Even now, neither system does anything but protect system files. iOS has a permission system but from what I know of it, it's a bit more limiting.

Living in an increasingly digital world means users HAVE to learn a little bit about how to protect themselves. In the same way we all learn not to open those scam postal letters that promise we won $1 million if we just deposit $100.

Also with regards to legal disclaimers:

Pretty much every piece of software you can buy for any platform ever comes with a legal disclaimer that they are not responsible for certain things. My own apps even have this.

Hopefully that makes sense. This is all also why I believe strongly about educating users on what it all means. There are some apps out there that claim to remove viruses or block permissions, but they are just tools, and often give a false sense of security. But ultimately, these tools work better with an educated user wielding them.

 

[autopilot1]

I have found the whole thread very informative, but what I cannot understand is why the android market does not let us search by permissions. I spend ages looking for an app that has permissions which I find acceptable. At the moment I am looking for a barcode scanner that does not give away nearly every detail on my phone.

At the moment I can restrict my search on the market by apps, books, movies, all prices, free, paid, safe search, popularity and relevance. Why don't they also add a list of permissions, that I could choose via radio buttons, of permissions that I won't accept?

This could work to a developers advantage where they omit some of the permissions on paid apps. People would probably pay

 

[Roze]

I have found the whole thread very informative, but what I cannot understand is why the android market does not let us search by permissions. I spend ages looking for an app that has permissions which I find acceptable. At the moment I am looking for a barcode scanner that does not give away nearly every detail on my phone.

At the moment I can restrict my search on the market by apps, books, movies, all prices, free, paid, safe search, popularity and relevance. Why don't they also add a list of permissions, that I could choose via radio buttons, of permissions that I won't accept?

This could work to a developers advantage where they omit some of the permissions on paid apps. People would probably pay