READ SYSTEM LOG FILES and other dodgy permissions

[Armandoban]

I discovered today both Last.fm and Slacker Radio have "read system log files" in the permission set. This is listed as a dangerous permission yet both companies say oh no, we're harmlessly debugging, it's no biggie. I thought Android had debugging features to avoid using the heavy low level permissions. Is this necessary?

Also I'd like to know, has anyone compiled a good list of the most dangerous permissions and maybe some explanation of why they might not be necessary when the dev says they are?

Thanks!

EDIT: I found the system log files entry in the FAQ, it didn't come up in my original keyword search.. If this is the same thing:

Development Tools read logs
This permission is of very high importance. This allows the application to read what any other applications have written as debugging/logging code. This can reveal some very sensistive information. There are almost no reasons an applications needs this permission. The only apps I might grant this permission to would be Google apps.

Again still leaves me wanting to know why the devs are excusing this as okey-dokey if it's this much of a violation..

 

[alostpacket]

The problem is they can read another app's logs, not just their own.

Unfortunately also, there are a lot of apps out there that put info into the logs that you would regard private.

For example, A LOT of popular apps put geo-location stuff like your current longitude and latitude in the logs. Any app with this permission can track your location easily.

Even the Android system itself "leaks" data it shouldn't.

If you really want to see the in-depth of what can be done checkout the Lookout Mobile presentation video from DefCon last fall:

here's the link: DefCon 18 - These Aren't the Permissions You're Looking For on Vimeo (may require you to login/download)

you can probably find it on youtube also.


Here's my post for developers and what they should be doing: Lost Packet Software

If Pandora and Last.fm are saying they are just debugging they probably are (they are very popular apps with reputations to uphold), but they are wrong to push that permission on to a user.

If the software is so unstable as to need to be debugged in in live production environments then it should never have been released. Those devs have a lot of hubris. I'm sure they are very skilled, hard-working devs, but in this instance adding that permission is laziness on their part and nothing more.