New Permission System Could Make Android Much Less Secure 249
capedgirardeau writes: An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. For example, the SMS permissions group would allow an app access to both reading and sending SMS messages. The problem is that once an app has access to the group of permissions, it can make use of any of the allowed actions at any time without ever informing the user. As Google explains: "It's a good idea to review permissions groups before downloading an app. Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted."
I want silent denial (Score:5, Interesting)
One feature I really want on my cell is the ability to tell the app that I've given it all the permissions it is asking for, but behind the scenes remove that ability from the app. This is especially for apps like games that ask for all permissions, but only really need a few. I should be able to accept the game onto my system and then after adjusting the app's permissions, it would receive garbage contact details, garbage friend details, garbage location data, garbage file listings, messages go to /dev/null, etc.
I'm sure if I root my device I could do something like that, but I just wish something like that was built in. {I kinda feel safer in my walled garden, easier to recover from garbage apps.}
New Permissions (Score:5, Interesting)
Just finished updating a few apps on my phone.
Adobe Air has a new permission group it requests. However, on the 'here's the permissions Air is requesting' pop-up after you hit the update button, they no longer mark the new permissions with "NEW". So now you have to cancel out of the update and go check each and every app you're going to update to see what the new permissions it's requesting.
Totally stupid move by Google to not even mark the new permissions with 'NEW'
Dumb idea. (Score:5, Interesting)
I want to have a settings page where I can go in whenever I want and selectively disable permissions.
This just sounds like more dumbed down version.
And, cynically, I believe that Google is doing this to ensure they can still collect data on you, and the people using their advertising services can continue to do to.
This is why when I download a new app, the first thing I do is try it in airplane mode. If it's not an application which should require access to the interwebs, but tries to access it, it gets deleted.
I must say, I'm disappointed in this. Because I want more control over app permissions, not less.
Broken permissions (Score:5, Interesting)
Something like 90% of all apps require access to the IMEI of the phone which requires read_phone_state and that pretty much abandons all pretense of security compartmentalization since it can also see who you're calling, when you're talking, etc.. Most applications should only care and use it for a unique ID token. IF they want to fix permissions models:
1. Separate the 'phone unique number' from the phone's call state functions. Must have, end of line. This is just plain retarded form day 1
2. Write in permissions which are optional vs. required. Optional permissions are requested on demand like IOS and can be rejected or permantently accepted. Required permissions must be explicitly allowed when the application is installed
3. Re-introduce AppOps functionality or at the minimum an audit trail of when-last and how often the application attempts a specific permission operation/category
4. Consider second tier permissions model where if you want to include common and generally well understood permissions like read_gps there's no hoops to jump through, but if one wants to read and access the variety of accounts I have on my phone, I want to make damn sure that the company asking for this information has at least passed the stink test.
5. Lastly, I want third parties to be able to flag applications (based on APK signature or through store functionality) as a problem so that even if Google doesn't have the time or resources to police all applications in the sun, I should be allowed to trust a thrird party who can flag programs problems based on any reason they find.
This allows for uses like:
- Flag applications for parental categories
- Flag apps as 'ad-enabled'
- Flag apps that are outright malicious in terms of stealing data/information
- Flag apps that violate certain country laws
- Flag apps that are banned based on administrative oversight (for work phones)
Having this barrier mandatory or optional is up for debate as well as the ability to unistall is using a 'master' control password, etc..
Re:How is this a good idea? (Score:2, Interesting)
So get cyanogenmod. There, you can install an app and revoke permissions later. A simple use is to install "angry birds" (or similiar games) and then revoke the internet permissions. No more ads, the game still works. (It has to, to the game it merely seems like you aren't online at the moment.)
Also, android has a linux kernel, which means iptables-based firewalling works. So go ahead and block ad-servers and such.
Re:Well, no. (Score:5, Interesting)
But what are you going to do? The world you want to live in does not exist.
Simple, install XPrivacy. Problem solved. App wants a IMEI? No problem - just give it a random one, or a different one on each boot.