Security Warning: Android's Dangerous Change to App Permissions
Google had a problem: Nobody could understand the complicated app permissions. For example, do you know what "Broadcast Sticky (Intents)" is? I have no friends, and no hobbies, other than my dear smartphone and even I had to look that one up.
The solution, according to Google, is to "simplify" the permissions and to stop asking you to grant new permissions when apps update automatically through the company's Play Store, at least when the new permission is similar to one you've already granted (e.g., update adds the ability to send text messages to an existing permission to read texts -- now the app can cost you money.)
It's a dangerous and stupid change, one that at a minimum buries possibly dangerous permissions upgrades, and if you have auto-update installed, hides them altogether.
Does your online advertising strategy keep up with the latest tech and SEO trends? Let our experts take a second look.
Deviancy Demoed
Still not seeing the problem here? How about a demo?
A Reddit user, iamtubeman, decided to test the new updates system by creating a very mildly-permissioned app, stuff like ability to get a coarse idea of the phone's location, to read the phone's storage, etc. None of these permissions are ones you wouldn't see in many other popular apps. Then, he created an update with insane permissions: the ability to send texts ($), to determine your precise location, and to wipe out all of your data.
How did the app store's new permissions system react? "[App] does not require any additional special permissions. Learn More"
The only way you see the new permissions is to click "Learn More." And if you have auto-updates enabled, you won't even see that.He's posted proof, including screenshots, the source code for the testing app, and more information over on Reddit.
A Fix
If this change bugs you, there is a solution: turn off automatic updates, either system-wide or per app.
Here are the steps for system-wide:
- Open the Google Play store app.
- Tap Menu > Settings
- Tap "Auto-update apps" and turn off auto-updating.
And per app:
- Open the Google Play store app.
- Tap Menu > My Apps
- Select an app.
- Tap the menu icon on the top right, then uncheck "Auto-update."
Disabling updates system-wide is obviously the safer course, but if you don't want to have to manually update every one of your hundreds of apps, taking the time now to enable auto-update for trusted apps might be worth it.
Related Resources:
- NSA's Snooping on App Data? We're Shocked. (FindLaw's Technologist Blog)
- Google Backtracks on App Permission Management; Here's a Solution (FindLaw's Technologist Blog)
- App Data Permissions Scrutinized; There's an App for That (FindLaw's Technologist Blog)