The Android permissions conundrum...
Posted on: 16-Jul-2013Author: cmk
I had always heard from the Apple fanboys that the App Store has ‘oh-so-many-checks’ and Apple acts like the protective big brother not allowing malicious apps into the App Store, while Android is a bit of a wild-wild-west. But then, Android is the flavor of the season. A majority of smartphones in use today are Androids. I myself am an Android user. Thus began the journey that is this post. I tried to answer some questions that we all have been thinking of: Are Android Apps inherently nonsecure? What do I need to do to make my phone more secure? What do we mean by ‘permissions’ on Android? What permissions do the apps that I have already installed have? A bit of a background first. Android as we all know, is an operating system or OS in short. In simple terms, the job of the OS is to provide applications (yes, yes, ‘apps’) access to the hardware services offered by the phone. Android has been built using Linux as a base. Of course, it does not look anything like the desktop variants of Linux available, the UI (User Interface) is completely different. To be able to access any hardware resources like the camera, or the GPS receiver, the app has to explicitly ask Android for ‘permissions’ to use the resource. (When we say ‘ask’ we mean that the programmer writing the app will write a line in the applications code that calls for this service. For example, the programmer may say “ACCESS_FINE_LOCATION” to use the GPS of the phone.) All applications are given a small bit of space in the memory (RAM) and SD storage that is private only to that application. No other application can access that data. This is a term called ‘Application Sandboxing’. This protects the app’s data and does not allow other applications to access its data, while not allowing it to access the other application’s data. Now, let us move on to the crux of this post - As an Android user what am I supposed to do to protect myself? Android restricts the use of hardware resources by forcing applications to ask for ‘permissions’ to use certain resources. After all, what would be the use of ‘Endomondo’ if it does not have access to the phone’s GPS? Where would we be if ‘Whatsapp’ cannot access our phone book? So Applications Ask and Android Allows. Before that, however, Android wants the user of the app to confirm if the permissions asked by the application are reasonable for the purpose it is supposed to serve. This is where, as a user, our role begins. Applications can broadly ask for the following permissions:
- Camera functions
- Location Data (GPS)
- Bluetooth functions
- Telephony Functions
- SMS/MMS functions
- Network / Data connections
Endomondo Stock WatchFor applications already installed, there are some apps that allow you to scrutinize permissions in a fast and efficient manner. Check this nicely written post for further deails. http://www.makeuseof.com/tag/app-permissions-work-care-android/ Well, so now that we know a little bit about Android application permissions, I can only urge you to read the permissions carefully before installing any application. Be a little more practical in your infosec!