-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Android permissions explained, security tips, and avoiding malware
- Thread starter alostpacket
- Start date
christianrene
Lurker
Great post you got here! Concise and very informative. I've learned quite some tips and tricks on how to better protect my Android unit. This should certainly be stickied!
alostpacket
Over Macho Grande?
Oivey! Now I need to start updating for Android 4.2! 
Artine
Android Expert
This is a fantastic read, thank you for all of the time and effort put into it! Just one question....
Is this still the case, since the Play Store's been updated so that only the altered data for an update is downloaded, as opposed to the entire app all over again?
alostpacket said:
Is this still the case, since the Play Store's been updated so that only the altered data for an update is downloaded, as opposed to the entire app all over again?
alostpacket
Over Macho Grande?
Yes, this is still true -- the partial download thing is more about saving bandwidth than anything. Permission changes do still require a manual update though.
Good question though
Ted Roo
Newbie
I was going to install OS Monitor, but I chickened out when I saw the permissions:
Is there a way to block the internet access for one app?
I'm not saying the program is malware, but those permissions to my understanding would certainly allow it to be malware.
Android n00b and not used a firewall on a phone yet. Would that be a viable solution to my fear of this app and others, by not allowing network access for this app?
TIA!
https://play.google.com/store/apps/...wsMSwxLDEwOSwiY29tLmVvbHdyYWwub3Ntb25pdG9yIl0.
I just read droidwall can block by program, so I'm going to try that.
I'm interested in monitoring CPU mostly, and mostly out of curiosity.
Is there a way to block the internet access for one app?
I'm not saying the program is malware, but those permissions to my understanding would certainly allow it to be malware.
Android n00b and not used a firewall on a phone yet. Would that be a viable solution to my fear of this app and others, by not allowing network access for this app?
TIA!
https://play.google.com/store/apps/...wsMSwxLDEwOSwiY29tLmVvbHdyYWwub3Ntb25pdG9yIl0.
I just read droidwall can block by program, so I'm going to try that.
alostpacket
Over Macho Grande?
I was just going to suggest DroidWall -- it does require root though.
PodgePapin
Lurker
Hi everyone, like the guide. A quick question i was wondering about, if an app is NOT running but is installed can it still use the permissions?
Example, if you have an app which needs camera permissions like a barcode scanner could it still access the camera even though its not running.
Example, if you have an app which needs camera permissions like a barcode scanner could it still access the camera even though its not running.
PodgePapin
Lurker
Cheers EarlyMon, thats what i expected but wanted to check.
alostpacket
Over Macho Grande?
Not to upstage the illustrious Early the Pearly, who is correct, I would say the more nuanced answer is that yes, apps *kinda* do have permissions when not in use.
I say this because apps can be "woken up" at almost any time and the user does not necessarily know when an app is running or not. Oftentimes also, apps will appear to be running when they are not, and the OS doesn't really show this too well to the user.
So while it's true that apps dont really have permissions while not running, they have a dozen or more ways to be "woken up" and be running silently in the background. Also, it's important to note that a lot of apps are held in a sort of "stand-by" mode where they aren't really using memory or CPU, but they are listening for events or have "background-timers" running.
One good thing though: when you install an app it cannot wake itself up and has no permissions until it is run for the first time.
I say this because apps can be "woken up" at almost any time and the user does not necessarily know when an app is running or not. Oftentimes also, apps will appear to be running when they are not, and the OS doesn't really show this too well to the user.
So while it's true that apps dont really have permissions while not running, they have a dozen or more ways to be "woken up" and be running silently in the background. Also, it's important to note that a lot of apps are held in a sort of "stand-by" mode where they aren't really using memory or CPU, but they are listening for events or have "background-timers" running.
One good thing though: when you install an app it cannot wake itself up and has no permissions until it is run for the first time.
androidnewbie5
Newbie
I have a related question. I'm using a rooted phone (with a custom arq51 rom). Concerned about spying malware I have the "Avast Mobile Security" app installed, less for its virus protection than for the granular firewall that it has. With this firewall I block internet or outside data access to all programs I do not think need to have it to work (games and the like). For similar privacy reasons I do not sync any app with the cloud.
My questions, because I am not knowledgeable in Linux or Android, are:
1. Even though the firewall blocks access to the internet or the phone network, can apps still send out data through some other hidden mechanism in Android?
2. Of course I cannot use that type of firewall for apps like browsers, email, text, etc. How does one prevent these apps from sending out data to somewhere I did not authorize?
I do not get ads in my notification bar but anyway ran Ad detector and its scan found nothing bad. But, another similar app found several of my phone apps apparently use admob (which I have turned off in the Google Play options). Is there a simple way to block admob access (and similar spy networks) to apps other than Google Play without running still another blocking app?
I am currently not getting ads, but am concerned about data going out without my knowing it because I know of no way to tell what is going out in android.
Thanks.
My questions, because I am not knowledgeable in Linux or Android, are:
1. Even though the firewall blocks access to the internet or the phone network, can apps still send out data through some other hidden mechanism in Android?
2. Of course I cannot use that type of firewall for apps like browsers, email, text, etc. How does one prevent these apps from sending out data to somewhere I did not authorize?
I do not get ads in my notification bar but anyway ran Ad detector and its scan found nothing bad. But, another similar app found several of my phone apps apparently use admob (which I have turned off in the Google Play options). Is there a simple way to block admob access (and similar spy networks) to apps other than Google Play without running still another blocking app?
I am currently not getting ads, but am concerned about data going out without my knowing it because I know of no way to tell what is going out in android.
Thanks.
alostpacket
Over Macho Grande?
Will try and answer as best I can:
1) I don't know the abilities of your firewall, however, most apps can POST data to the web without the INTERNET permission. It would do this using something called an Intent. But this would cause the browser to pop open. It would be pretty obvious if an app was doing this.
An easy way to be extra (extremely?) careful would be to install more than one browser and every call would ask you which browser to use (for all browser web requests, even legit ones).
But this is pretty unlikely to be a problem. However, having the popup about which browser to use will give you fine grained control (if that is what you seek).
2) Admob is not a spy network, it's Google's mobile advertising division. What you turned off is the tracking and targeting that Admob uses to customize ads to you. However, you will still get ads (unless blocked by your firewall). Google allows you to opt-out of tracking, not advertising.
hope that helps
1) I don't know the abilities of your firewall, however, most apps can POST data to the web without the INTERNET permission. It would do this using something called an Intent. But this would cause the browser to pop open. It would be pretty obvious if an app was doing this.
An easy way to be extra (extremely?) careful would be to install more than one browser and every call would ask you which browser to use (for all browser web requests, even legit ones).
But this is pretty unlikely to be a problem. However, having the popup about which browser to use will give you fine grained control (if that is what you seek).
2) Admob is not a spy network, it's Google's mobile advertising division. What you turned off is the tracking and targeting that Admob uses to customize ads to you. However, you will still get ads (unless blocked by your firewall). Google allows you to opt-out of tracking, not advertising.
hope that helps
androidnewbie5
Newbie
Thank you very much for the quick and excellent reply. This thread (and you) are just great.
I do have 2 browsers installed in addition to the standard one and have not had unexpected popups. I am probably too careful about privacy but not familiar with android I hate not knowing what is perhaps happening without my having any clue.
About the browsers, I've read that they do "call home". Boat browser is said to send data to 友盟-专业的移动开发者服务平台 | 移动应用统计 | Android统计 | iPhone统计 | WindowsPhone统计. Dolphin records everything and sends it out, etc. Not that I am doing anything secret but that kind of stuff should not be allowed without explicit permission.
I hear your advice about reading the permissions every time one updates an app, but apps are now updated so often that it takes a better man than me to really do that every time.......!
Thanks for this thread.
I do have 2 browsers installed in addition to the standard one and have not had unexpected popups. I am probably too careful about privacy but not familiar with android I hate not knowing what is perhaps happening without my having any clue.
About the browsers, I've read that they do "call home". Boat browser is said to send data to 友盟-专业的移动开发者服务平台 | 移动应用统计 | Android统计 | iPhone统计 | WindowsPhone统计. Dolphin records everything and sends it out, etc. Not that I am doing anything secret but that kind of stuff should not be allowed without explicit permission.
I hear your advice about reading the permissions every time one updates an app, but apps are now updated so often that it takes a better man than me to really do that every time.......!
Thanks for this thread.
Metroid Prime
Oil Can!!! Oil Can!!!
If I recall there's a feature you can disable in Dolphin so it doesn't send out anonymous data. I believe in Settings or Privacy.
May I ask where you heard that?
androidnewbie5
Newbie
A couple of months ago on several security threads similar to this one. Unfortunately I did not keep the urls. I expect a Google search would probably find several references.
androidnewbie5
Newbie
Here are some:
Security Flaw Found in Dolphin Browser for Android - eSecurity Planet
Dolphin HD browser snared in security breach | Privacy Inc. - CNET News
etc.
presumably fixed in later version, but perhaps unfixed later or sent to somewhere other than en.mywebzines.com.
Metroid prime wrote:
Installed dolphin to check and in its help/privacy is a long text few would read which in summary says if you don't agree with our policy please don't download it. So I un installed it.
Security Flaw Found in Dolphin Browser for Android - eSecurity Planet
Dolphin HD browser snared in security breach | Privacy Inc. - CNET News
etc.
presumably fixed in later version, but perhaps unfixed later or sent to somewhere other than en.mywebzines.com.
I'm no security expert and I am sure Dolphin is not the only browser or app that mines data. So this is only worth what it is worth. Your mileage may vary.
Metroid prime wrote:
Could not find that option.
Installed dolphin to check and in its help/privacy is a long text few would read which in summary says if you don't agree with our policy please don't download it. So I un installed it.
JavDev Games
Lurker
Thanks, great info!
orion88
Newbie
Great guide. I have some questions about three (sets of) permissions:
- the ones that deal with "take photos" activities: Does such app get permissions to use both back (main) and front camera (thus potential malware could spy on you via front cam as well)?
- permissions pertaining to accessing bookmarks & history: Do they relate to the "default"/"stock" browser only, or to any and all browsers installed on the system?
- permissions pertaining to accessing SD card / external storage: On my Note II, the internal partition for user files is also called "SDcard". So, do these permissions mean both actual "physically external" SD storage as well as internal partition that is "nicknamed" SD card?
- the ones that deal with "take photos" activities: Does such app get permissions to use both back (main) and front camera (thus potential malware could spy on you via front cam as well)?
- permissions pertaining to accessing bookmarks & history: Do they relate to the "default"/"stock" browser only, or to any and all browsers installed on the system?
- permissions pertaining to accessing SD card / external storage: On my Note II, the internal partition for user files is also called "SDcard". So, do these permissions mean both actual "physically external" SD storage as well as internal partition that is "nicknamed" SD card?
alostpacket
Over Macho Grande?
Yes.
I think generally this is correct, stock browser only.
However it depends on how the browser is coded. It is possible a browser could re-use this permission or use a custom permission like:
Code:
org.mozilla.firefox.ACCESS_BOOKMARKSChrome: Not possible for a third party app to get bookmarks/etc. (w/o root) (source)
Firefox: I don't *think* third party apps have access to bookmarks, but I'm not 100% sure.
Other browsers: You would have to look at the application's manifest file and see what permissions it exports. I think there is an app called "manifest explorer" out there. (You also, I think, can see this info in PocketPermissions, my app. It should list all permissions, even the ones it does not recognize)
Correct, the permission allows access to both actual SDcard storage, and internal USER storage, just not protected (SYSTEM) storage.
They are considered the same from a privacy/security standpoint.
orion88
Newbie
Regarding the storage access: By protected/"system" storage do you mean just what's mounted under /system, or any other non-user storage (i.e. everything but the "SD cards")?
Suppose I save some sensitive "Office" document on a non-user partition -- no app without root access will be able to read it? I presume this also means I wouldn't be able to browse+open it directly from there via a corresponding "Office" app? (I guess this is something I have to try; because with ES File Explorer I can browse into such folder (I have root), but I think ES can also "send" the file to any app that handles the file-type if I want to.)
Also, I've noticed that some security tools/apps display whatever permissions apps "want to have" (read from manifest or something?), whereas others display what's in fact enabled (I was able to see the difference because of disabling certain permissions with Permissions Denied app)...
Suppose I save some sensitive "Office" document on a non-user partition -- no app without root access will be able to read it? I presume this also means I wouldn't be able to browse+open it directly from there via a corresponding "Office" app? (I guess this is something I have to try; because with ES File Explorer I can browse into such folder (I have root), but I think ES can also "send" the file to any app that handles the file-type if I want to.)
Also, I've noticed that some security tools/apps display whatever permissions apps "want to have" (read from manifest or something?), whereas others display what's in fact enabled (I was able to see the difference because of disabling certain permissions with Permissions Denied app)...
alostpacket
Over Macho Grande?
I think the folders are /system and /data but I am not 100% sure.
The important thing to remember is that folder names are different from device to device. But all devices guarantee that apps have access to private storage for only that app, and there is, of course, protected system storage.
Without getting to into detail, each app runs in it its own user process. So the apps each have a folder that is private to them not visible to the user, and not visible to the other apps. (This is /data/data i think). You will sometimes see these folders with adb or a file explorer, and if you have root, a root user can access any app folder.
The rest, and in general, the storage is 'user' or 'unprotected'. This may change in the future. But, by default all apps can read most storage, with the exceptions noted above. The reason your internal storage was named "sdcard" was for backwards compatibility, as some old apps hard-coded the path to files.
Regarding permissions:
There are several ways of describing a permission so maybe it is helpful to put them here.
Android permissions
These are permissions the system uses to grant access to resources and functionality. They are what usually comes to mind when someone thinks 'permissions'. Apps request these in their manifest file. This is read by the Google Play market and show to the user at install time.
Custom permissions
Permissions defined by an app. These are permissions an app uses to protect its own resources from other apps, and to grant limited functionality or resources based on the permissions. For example: I may write an app that helps users download RSS feeds. And I want my app to work with other apps and notification widgets. I could provided a way that other apps request a permission from my app to get the number of new RSS stories in my app's feed, but not all the RSS.
When an app is installed, the system takes note of what was requested (and thus agreed to by the user). When the permission is used, (say an app tries to connect to the internet), the system will either grant access, or throw a security exception This can crash an app unless the developer planned to be denied.
(To be continued: I need to get back to coding but will write more if I can later today )
The important thing to remember is that folder names are different from device to device. But all devices guarantee that apps have access to private storage for only that app, and there is, of course, protected system storage.
Without getting to into detail, each app runs in it its own user process. So the apps each have a folder that is private to them not visible to the user, and not visible to the other apps. (This is /data/data i think). You will sometimes see these folders with adb or a file explorer, and if you have root, a root user can access any app folder.
The rest, and in general, the storage is 'user' or 'unprotected'. This may change in the future. But, by default all apps can read most storage, with the exceptions noted above. The reason your internal storage was named "sdcard" was for backwards compatibility, as some old apps hard-coded the path to files.
Regarding permissions:
There are several ways of describing a permission so maybe it is helpful to put them here.
Android permissions
These are permissions the system uses to grant access to resources and functionality. They are what usually comes to mind when someone thinks 'permissions'. Apps request these in their manifest file. This is read by the Google Play market and show to the user at install time.
Custom permissions
Permissions defined by an app. These are permissions an app uses to protect its own resources from other apps, and to grant limited functionality or resources based on the permissions. For example: I may write an app that helps users download RSS feeds. And I want my app to work with other apps and notification widgets. I could provided a way that other apps request a permission from my app to get the number of new RSS stories in my app's feed, but not all the RSS.
Code:
com.example.GET_UNREAD_RSS_COUNT(To be continued: I need to get back to coding but will write more if I can later today )