• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Android permissions explained, security tips, and avoiding malware

This is a good post. With my first Android (eris) and smartphone even, I was wondering about this stuff this weekend.
One question I had that is not answered in here is how the list of permissions for an app is generated? Does the developer go down a checklist ticking off boxes (which leaves room for a lot of lying) or is it generated automatically so we know it's accurate?


This is a great post. Please sticky.
 
I'm not 100% sure actually whether the app declares what it needs or the market checks automatically. What I do know however, is that an app wont get any permissions unless they are listed on that screen. In other words an app might request permissions it doesn't use but it will never get to use permissions unless the user aggrees to them before downloading. So in essence it's a bit of a moot point, but I will look up the process and update the thread with what I find.


.
 
Just so I am clear, what you are saying is that if the permissions are not requested on that screen, then the app can't get the info? It is impossible for an app to pull my contacts' info or my google account info if it's not requested at time of install?
That is good to know.

Thanks again for this!
 
So I checked and the Dev needs to declare what permissions he needs in a permissions manifest file. However what I found was as I said no app gets permission by default. Therefore the permissions you agree to is what you get.
 
cmonster said:
Just so I am clear, what you are saying is that if the permissions are not requested on that screen, then the app can't get the info? It is impossible for an app to pull my contacts' info or my google account info if it's not requested at time of install?
That is good to know.

Thanks again for this!
Click to expand...


correct
 
How about locking down google checkout, how can you do this, it seems anyone can pick my phone up and buy stuff on the marketplace which means I'm a bit buggered if someone steals my phone.
 
sandys said:
How about locking down google checkout, how can you do this, it seems anyone can pick my phone up and buy stuff on the marketplace which means I'm a bit buggered if someone steals my phone.
Click to expand...


You should use the pattern lock or an app like wave secure. getting your phone stolen is not really related to app security though.
 
It will run down your battery, yes, but you would notice that. It's OK in the sense that you could uninstall any app you don't want keeping your phone awake and it wont harm your phone anymore. Also it has very legitimate uses for say a music app or nitghtime alarm clock type app.

All in all it's mostly a harmless permission and (while not impossible) I can't imagine it ever being used to harm someone's phone.


.
 
Great post, after reading it confirmed my suspicion that someone was trying to phish my account. Area days ago I started receiving emails from Windows live stating that I requested a password change and it gave me link to confirm and proceed with the change, the problem is I never requested such a change. I sent an email thru the link to notify them of this and I got no response,I just kept receiving the same email from Windows Live. I decided the safest thing to do was ignore these emails and leave my password info unchanged. I would appreciate any info anyone has about what steps if any I should take from this point. Also, I want to purchase apps from the market but I'm skeptical to use my debit card being that its a direct link to my bank account, I do not have a CC so my only way of making online purchases is with my debit. Is it safe to use a debit card? Any help is greatly appreciated, thanks
 
I would check with your bank about what kind of safeguards they have for you on your debit card. If not, it's always good to have a credit card with a nice low limit for internet stuff. Almost all credit cards allow you to do what's called a "chargeback" where you can cancel any fraudulent charges if you report it within a few days. But, and I can't stress this enough, check with your specific bank or credit card issuer about their policies. If you don't understand the fine print, give them a call on the phone and make them explain it to you. Another good idea is to set up spending alerts with your bank. When my debit is used for a purchase of $200 or more I get an email (or SMS) within an hour from my bank letting me know.

As for purchasing apps on the market I think it's reasonably safe since it's mostly handled by Google Checkout. However nothing is guaranteed, especially on the internet. Google checkout is probably about as safe as Pay Pal, which is reasonably good but not perfect.
 
Cool, thanks for the quick response and the great advice, I think I'm going to open a seperate checking account just for online purchasing. As for the phishing problem, does this sound like an avenue that hackers use to get your info, by having you change your password because they don't know it but when you change thru their link they now would know what you changed it to?
 
I wouldn't open a separate checking account, just talk to your bank and find out what protections you have in place. One of the differences with debit and credit cards is that credit cards almost always have the chargeback protection, while debit (checking) cards do not often have it. Sometimes debit cards do have the same protection though, it really varies from what I have heard. So check with your bank. :)

As for the fishing, yest that's a possible scam to get your email address, or it could even be someone accidentally entering your email address to try and change their password. Either way, you are correct in that the safe thing is to ignore the emails.
 
Really well done. Good organization & overall tone -- reasonable, encouraging of common sense, ...

Been looking for permissions rosetta stone, and your write-up is a great step forward.

Uh oh, what's wrong with WordPress blogs? I believe I've found helpful info in this format too, but there may be something I'm overlooking.

I might consider adding, if it's not clear from Market description and web site, e-mail dev.

Thanks very much.
 
Heh actually word press is fantastic software, I use it myself. :)

But a sparse blog as a developer website is indicative of a lack of caring.
 
After you have downloaded an app, go into the market and press menu > downloads. You should see five empty stars at the top which you can tap to rate the app. Once you have rated the app you should see an option to add a comment under the stars.
 
alostpacket said:
After you have downloaded an app, go into the market and press menu > downloads. You should see five empty stars at the top which you can tap to rate the app. Once you have rated the app you should see an option to add a comment under the stars.
Click to expand...
Thanks!:D
 
Alostpacket, great post. I was wondering about a couple things. First, is it possible to see the permissions of a given application AFTER it has been installed? Second, is it possible to change those permissions? Thx.
 
This should be stickied, or better yet, a wiki so that people can update it freely.

Another interesting permission that should be mentioned is "read phone state and identity" (required, for example, by the Speedtest.net application). This sounds like the app can read your phone number or IMEI. Some say the permission is not that important, while other reports indicate that your IMEI can indeed be read - Locale leaks your IMEI, and the most likely permissions required by Locale to do that are "read phone state and identity" and "modify global system settings".
 
nycebo said:
Alostpacket, great post. I was wondering about a couple things. First, is it possible to see the permissions of a given application AFTER it has been installed? Second, is it possible to change those permissions? Thx.
Click to expand...

Both good questions. To see the permission given to an application after installation, go to the market, press menu, downloads, then select the app, press menu again, then press security.

It is not possible to change those permission after installation though.
 
GalaxyMeh said:
This should be stickied, or better yet, a wiki so that people can update it freely.

Another interesting permission that should be mentioned is "read phone state and identity" (required, for example, by the Speedtest.net application). This sounds like the app can read your phone number or IMEI. Some say the permission is not that important, while other reports indicate that your IMEI can indeed be read - Locale leaks your IMEI, and the most likely permissions required by Locale to do that are "read phone state and identity" and "modify global system settings".
Click to expand...

Thanks for the tip, will check this out this weekend. If anyone wants to make a wiki too they are free to copy as much of this guide as they wish. :)
 
You must log in or register to reply here.
Back
Top Bottom