Android permissions explained, security tips, and avoiding malware

[Elwood42]

Can anyone tell me what this new permission does?

• Phone callsread phone state and identity
  Allows the app to access the phone features of the device. An app with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

• 
  

Seemingly, it can gather all phone numbers from a call while the app is running/installed? Should this be on any application, especially something as innocuous as the kindle app?

 

[christianrene]

Great post you got here! Concise and very informative. I've learned quite some tips and tricks on how to better protect my Android unit. This should certainly be stickied!

 

[alostpacket]

Oivey! Now I need to start updating for Android 4.2!

 

[maraetai]

Thanks, I am still on a big learning curve and this thread has been very useful!

 

[Artine]

This is a fantastic read, thank you for all of the time and effort put into it! Just one question....

Updating applications is the same as installing them fresh

Each time you update an application on your phone, you should use thesame diligence as if you were installing it for the first time. Rereadthe permissions to see that it is only asking for what it needs and nomore. Reread the comments to see if anything has changed in the opinionsof the users and to see if it still works for your phone. If you seethat an application says Update (manual) next to it, that means thedeveloper has changed the permissions that they are requesting. This isnot necessarily a bad thing -- but it should indicate that you shouldpay a bit closer attention to the permissions and re-evaluate them asneeded.

Is this still the case, since the Play Store's been updated so that only the altered data for an update is downloaded, as opposed to the entire app all over again?

 

[alostpacket]

This is a fantastic read, thank you for all of the time and effort put into it! Just one question....



Is this still the case, since the Play Store's been updated so that only the altered data for an update is downloaded, as opposed to the entire app all over again?

Yes, this is still true -- the partial download thing is more about saving bandwidth than anything. Permission changes do still require a manual update though.

Good question though

 

[Ted Roo]

I was going to install OS Monitor, but I chickened out when I saw the permissions:

• Network communicationfull network access
  Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
• Your personal informationread sensitive log data
  Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the tablet, potentially including personal or private information. Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information.

I'm interested in monitoring CPU mostly, and mostly out of curiosity.

Is there a way to block the internet access for one app?

I'm not saying the program is malware, but those permissions to my understanding would certainly allow it to be malware.

Android n00b and not used a firewall on a phone yet. Would that be a viable solution to my fear of this app and others, by not allowing network access for this app?

TIA!

https://play.google.com/store/apps/...wsMSwxLDEwOSwiY29tLmVvbHdyYWwub3Ntb25pdG9yIl0.

I just read droidwall can block by program, so I'm going to try that.

 

[alostpacket]

I was just going to suggest DroidWall -- it does require root though.

 

[Ted Roo]

If I don't end up working, I'll hopefully get it rooted this weekend

 

[PodgePapin]

Hi everyone, like the guide. A quick question i was wondering about, if an app is NOT running but is installed can it still use the permissions?

Example, if you have an app which needs camera permissions like a barcode scanner could it still access the camera even though its not running.

 

[EarlyMon]

Hi everyone, like the guide. A quick question i was wondering about, if an app is NOT running but is installed can it still use the permissions?

Example, if you have an app which needs camera permissions like a barcode scanner could it still access the camera even though its not running.

Nope.

 

[PodgePapin]

Cheers EarlyMon, thats what i expected but wanted to check.

 

[alostpacket]

Not to upstage the illustrious Early the Pearly, who is correct, I would say the more nuanced answer is that yes, apps *kinda* do have permissions when not in use.

I say this because apps can be "woken up" at almost any time and the user does not necessarily know when an app is running or not. Oftentimes also, apps will appear to be running when they are not, and the OS doesn't really show this too well to the user.

So while it's true that apps dont really have permissions while not running, they have a dozen or more ways to be "woken up" and be running silently in the background. Also, it's important to note that a lot of apps are held in a sort of "stand-by" mode where they aren't really using memory or CPU, but they are listening for events or have "background-timers" running.

One good thing though: when you install an app it cannot wake itself up and has no permissions until it is run for the first time.

 

[androidnewbie5]

I have a related question. I'm using a rooted phone (with a custom arq51 rom). Concerned about spying malware I have the "Avast Mobile Security" app installed, less for its virus protection than for the granular firewall that it has. With this firewall I block internet or outside data access to all programs I do not think need to have it to work (games and the like). For similar privacy reasons I do not sync any app with the cloud.

My questions, because I am not knowledgeable in Linux or Android, are:

1. Even though the firewall blocks access to the internet or the phone network, can apps still send out data through some other hidden mechanism in Android?

2. Of course I cannot use that type of firewall for apps like browsers, email, text, etc. How does one prevent these apps from sending out data to somewhere I did not authorize?

I do not get ads in my notification bar but anyway ran Ad detector and its scan found nothing bad. But, another similar app found several of my phone apps apparently use admob (which I have turned off in the Google Play options). Is there a simple way to block admob access (and similar spy networks) to apps other than Google Play without running still another blocking app?

I am currently not getting ads, but am concerned about data going out without my knowing it because I know of no way to tell what is going out in android.

Thanks.

 

[alostpacket]

Will try and answer as best I can:

1) I don't know the abilities of your firewall, however, most apps can POST data to the web without the INTERNET permission. It would do this using something called an Intent. But this would cause the browser to pop open. It would be pretty obvious if an app was doing this.

An easy way to be extra (extremely?) careful would be to install more than one browser and every call would ask you which browser to use (for all browser web requests, even legit ones).

But this is pretty unlikely to be a problem. However, having the popup about which browser to use will give you fine grained control (if that is what you seek).



2) Admob is not a spy network, it's Google's mobile advertising division. What you turned off is the tracking and targeting that Admob uses to customize ads to you. However, you will still get ads (unless blocked by your firewall). Google allows you to opt-out of tracking, not advertising.

hope that helps

 

[androidnewbie5]

Thank you very much for the quick and excellent reply. This thread (and you) are just great.

I do have 2 browsers installed in addition to the standard one and have not had unexpected popups. I am probably too careful about privacy but not familiar with android I hate not knowing what is perhaps happening without my having any clue.

About the browsers, I've read that they do "call home". Boat browser is said to send data to 友盟-专业的移动开发者服务平台 | 移动应用统计 | Android统计 | iPhone统计 | WindowsPhone统计. Dolphin records everything and sends it out, etc. Not that I am doing anything secret but that kind of stuff should not be allowed without explicit permission.

I hear your advice about reading the permissions every time one updates an app, but apps are now updated so often that it takes a better man than me to really do that every time.......!

Thanks for this thread.

 

[Metroid Prime]

If I recall there's a feature you can disable in Dolphin so it doesn't send out anonymous data. I believe in Settings or Privacy.

 

[EarlyMon]

About the browsers, I've read that they do "call home". Boat browser is said to send data to http://www.umeng.com.

May I ask where you heard that?

 

[androidnewbie5]

A couple of months ago on several security threads similar to this one. Unfortunately I did not keep the urls. I expect a Google search would probably find several references.

 

[androidnewbie5]

Here are some:
Security Flaw Found in Dolphin Browser for Android - eSecurity Planet

Dolphin HD browser snared in security breach | Privacy Inc. - CNET News

etc.

presumably fixed in later version, but perhaps unfixed later or sent to somewhere other than en.mywebzines.com.

Another privacy implication is that MoboTap was also notified which files you're using Dolphin HD to browse even on your computer. A post on AndroidPolice.com suggested one way to fix the problem would be to block connections to the MoboTap-operated Web site, en.mywebzines.com.

I'm no security expert and I am sure Dolphin is not the only browser or app that mines data. So this is only worth what it is worth. Your mileage may vary.

Metroid prime wrote:

If I recall there's a feature you can disable in Dolphin so it doesn't send out anonymous data. I believe in Settings or Privacy.

Could not find that option.

Installed dolphin to check and in its help/privacy is a long text few would read which in summary says if you don't agree with our policy please don't download it. So I un installed it.

 

[JavDev Games]

Thanks, great info!

 

[orion88]

Great guide. I have some questions about three (sets of) permissions:
- the ones that deal with "take photos" activities: Does such app get permissions to use both back (main) and front camera (thus potential malware could spy on you via front cam as well)?
- permissions pertaining to accessing bookmarks & history: Do they relate to the "default"/"stock" browser only, or to any and all browsers installed on the system?
- permissions pertaining to accessing SD card / external storage: On my Note II, the internal partition for user files is also called "SDcard". So, do these permissions mean both actual "physically external" SD storage as well as internal partition that is "nicknamed" SD card?

 

[alostpacket]

..."take photos" activities: Does such app get permissions to use both back (main) and front camera

Yes.

- permissions pertaining to accessing bookmarks & history: Do they relate to the "default"/"stock" browser only, or to any and all browsers installed on the system?

I think generally this is correct, stock browser only.

However it depends on how the browser is coded. It is possible a browser could re-use this permission or use a custom permission like:

org.mozilla.firefox.ACCESS_BOOKMARKS

Chrome: Not possible for a third party app to get bookmarks/etc. (w/o root) (source)

Firefox: I don't *think* third party apps have access to bookmarks, but I'm not 100% sure.

Other browsers: You would have to look at the application's manifest file and see what permissions it exports. I think there is an app called "manifest explorer" out there. (You also, I think, can see this info in PocketPermissions, my app. It should list all permissions, even the ones it does not recognize)

- permissions pertaining to accessing SD card / external storage: On my Note II, the internal partition for user files is also called "SDcard". So, do these permissions mean both actual "physically external" SD storage as well as internal partition that is "nicknamed" SD card?

Correct, the permission allows access to both actual SDcard storage, and internal USER storage, just not protected (SYSTEM) storage.

They are considered the same from a privacy/security standpoint.

 

[orion88]

Regarding the storage access: By protected/"system" storage do you mean just what's mounted under /system, or any other non-user storage (i.e. everything but the "SD cards")?
Suppose I save some sensitive "Office" document on a non-user partition -- no app without root access will be able to read it? I presume this also means I wouldn't be able to browse+open it directly from there via a corresponding "Office" app? (I guess this is something I have to try; because with ES File Explorer I can browse into such folder (I have root), but I think ES can also "send" the file to any app that handles the file-type if I want to.)

Also, I've noticed that some security tools/apps display whatever permissions apps "want to have" (read from manifest or something?), whereas others display what's in fact enabled (I was able to see the difference because of disabling certain permissions with Permissions Denied app)...

 

[alostpacket]

I think the folders are /system and /data but I am not 100% sure.

The important thing to remember is that folder names are different from device to device. But all devices guarantee that apps have access to private storage for only that app, and there is, of course, protected system storage.

Without getting to into detail, each app runs in it its own user process. So the apps each have a folder that is private to them not visible to the user, and not visible to the other apps. (This is /data/data i think). You will sometimes see these folders with adb or a file explorer, and if you have root, a root user can access any app folder.

The rest, and in general, the storage is 'user' or 'unprotected'. This may change in the future. But, by default all apps can read most storage, with the exceptions noted above. The reason your internal storage was named "sdcard" was for backwards compatibility, as some old apps hard-coded the path to files.

Regarding permissions:

There are several ways of describing a permission so maybe it is helpful to put them here.

Android permissions
These are permissions the system uses to grant access to resources and functionality. They are what usually comes to mind when someone thinks 'permissions'. Apps request these in their manifest file. This is read by the Google Play market and show to the user at install time.

Custom permissions
Permissions defined by an app. These are permissions an app uses to protect its own resources from other apps, and to grant limited functionality or resources based on the permissions. For example: I may write an app that helps users download RSS feeds. And I want my app to work with other apps and notification widgets. I could provided a way that other apps request a permission from my app to get the number of new RSS stories in my app's feed, but not all the RSS.

com.example.GET_UNREAD_RSS_COUNT

When an app is installed, the system takes note of what was requested (and thus agreed to by the user). When the permission is used, (say an app tries to connect to the internet), the system will either grant access, or throw a security exception This can crash an app unless the developer planned to be denied.

(To be continued: I need to get back to coding but will write more if I can later today )