I've noticed a troubling issue with app permissions. It seems that after installing, some apps that didn't ask for these two permissions:
Storage: modify/delete SD card contents
Phone calls: read phone state and identity
... will magically acquire them after install! These apps do NOT ask for these permissions during install, nor do their Market pages disclose that they need them. After looking through MANY logcat messages during an install, I found this:
04-07 03:23:08.973,I,PackageParser,1016,com.some.app.name.here: compat added android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_PHONE_STATE
Digging around, I found this online:
Android permissions: Phone Calls: read phone state and identity - Stack Overflow
It seems that an app that is compatible with systems earlier than 1.6
will automatically be assigned those two permissions. If a developer
is willing to make their app compatible only with 1.6+ systems, they
can change their app's manifest:
<uses-sdk android:minSdkVersion="4" android:targetSdkVersion="4" />
... and when users on 1.6+ devices install the app, those two extra permissions won't show up.
I bet a lot of app developers don't know this, and therefore their apps will seems to acquire those two permissions magically. Users will install those apps, see the two extra permissions when they inspect the app security setting and be very puzzled.
They'll probably think the app is malware and uninstall it.
I've contacted some app developer about this issue, so that they can (hopefully) fix their app so it doesn't look like malware.
Unfortunately, until all legit apps are fixed, it'll be hard to distinguish amongst apps that have those permissions, which app actually needs those permissions, which apps need fixing, and which apps are malware.
Tom
Storage: modify/delete SD card contents
Phone calls: read phone state and identity
... will magically acquire them after install! These apps do NOT ask for these permissions during install, nor do their Market pages disclose that they need them. After looking through MANY logcat messages during an install, I found this:
04-07 03:23:08.973,I,PackageParser,1016,com.some.app.name.here: compat added android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_PHONE_STATE
Digging around, I found this online:
Android permissions: Phone Calls: read phone state and identity - Stack Overflow
It seems that an app that is compatible with systems earlier than 1.6
will automatically be assigned those two permissions. If a developer
is willing to make their app compatible only with 1.6+ systems, they
can change their app's manifest:
<uses-sdk android:minSdkVersion="4" android:targetSdkVersion="4" />
... and when users on 1.6+ devices install the app, those two extra permissions won't show up.
I bet a lot of app developers don't know this, and therefore their apps will seems to acquire those two permissions magically. Users will install those apps, see the two extra permissions when they inspect the app security setting and be very puzzled.
They'll probably think the app is malware and uninstall it.
I've contacted some app developer about this issue, so that they can (hopefully) fix their app so it doesn't look like malware.
Unfortunately, until all legit apps are fixed, it'll be hard to distinguish amongst apps that have those permissions, which app actually needs those permissions, which apps need fixing, and which apps are malware.
Tom
