For Infosec professionals, Infosec for everyone

For Infosec professionals, Infosec for everyone
Library Risk Quotient

The Android permissions conundrum...

Posted on: 16-Jul-2013
Author: cmk
Permissions_Android I had always heard from the Apple fanboys that the App Store has ‘oh-so-many-checks’ and Apple acts like the protective big brother not allowing malicious apps into the App Store, while Android is a bit of a wild-wild-west. But then, Android is the flavor of the season. A majority of smartphones in use today are Androids. I myself am an Android user. Thus began the journey that is this post. I tried to answer some questions that we all have been thinking of: Are Android Apps inherently nonsecure? What do I need to do to make my phone more secure? What do we mean by ‘permissions’ on Android? What permissions do the apps that I have already installed have? A bit of a background first. Android as we all know, is an operating system or OS in short. In simple terms, the job of the OS is to provide applications (yes, yes, ‘apps’) access to the hardware services offered by the phone. Android has been built using Linux as a base. Of course, it does not look anything like the desktop variants of Linux available, the UI (User Interface) is completely different. To be able to access any hardware resources like the camera, or the GPS receiver, the app has to explicitly ask Android for ‘permissions’ to use the resource. (When we say ‘ask’ we mean that the programmer writing the app will write a line in the applications code that calls for this service. For example, the programmer may say “ACCESS_FINE_LOCATION” to use the GPS of the phone.) All applications are given a small bit of space in the memory (RAM) and SD storage that is private only to that application. No other application can access that data. This is a term called ‘Application Sandboxing’. This protects the app’s data and does not allow other applications to access its data, while not allowing it to access the other application’s data. Now, let us move on to the crux of this post -  As an Android user what am I supposed to do to protect myself? Android restricts the use of hardware resources by forcing applications to ask for ‘permissions’ to use certain resources. After all, what would be the use of ‘Endomondo’ if it does not have access to the phone’s GPS? Where would we be if ‘Whatsapp’ cannot access our phone book? So Applications Ask and Android Allows. Before that, however, Android wants the user of the app to confirm if the permissions asked by the application are reasonable for the purpose it is supposed to serve. This is where, as a user, our role begins. Applications can broadly ask for the following permissions:
  • Camera functions
  • Location Data (GPS)
  • Bluetooth functions
  • Telephony Functions
  • SMS/MMS functions
  • Network / Data connections
For a detailed list of permission groups that Android offers, refer to the following link: https://developer.android.com/reference/android/Manifest.permission_group.html As a user, we must ensure that the permissions that the application asks is commensurate to the work it is supposed to be doing. For example, I know that Endomondo needs GPS so, it is all right for it to ask for location access, but when an application called Stock Watch (to track the price of shares in the stock market) asks for this permission, I should probably be a bit worried. OK, so I have an app here that I want to use. I am all right with the other permissions that it requests. It is only reasonable to allow it to access my data connection. I am NOT ok with it asking for my location through GPS (coarse through network is fine, why would it need fine location using GPS?). Can I selectively allow permissions? Sadly, for the average users like us, this is not an option. You can either allow all the permissions or not install the application. While I did not install the application, there are evidently more than 500,000 people who have. What would Stock Watch do with location data of more than 500k users? For all you know, they might have a good cause! I have no idea, but I do not want my location data in their database. Permissions_Endomond_Stock_Watch

Endomondo                                                                                 Stock Watch

For applications already installed, there are some apps that allow you to scrutinize permissions in a fast and efficient manner. Check this nicely written post for further deails. http://www.makeuseof.com/tag/app-permissions-work-care-android/ Well, so now that we know a little bit about Android application permissions, I can only urge you to read the permissions carefully before installing any application. Be a little more practical in your infosec!
Library Risk Quotient