App Permissions: You Want My What?!

We’ve reached a time wherein the wonder and amazement of the Internet is no longer a buffer for underlying privacy concerns. In fact, now is as good a time as ever to worry about the safety of your data, especially following such scandals as the Android/iOS tracking story, and, of course, the Sony hacks.

Most of the scandals popularised in the media stem from illegitimate causes such as a series of hacks. However, you could be exposing valuable data yourself just by using apps that you optionally, and intentionally, downloaded and installed.

The Current State

Currently, Google does a fairly good job at telling you what an application will be using and accessing. Both of their major app stores – the Chrome Web Store and the Android Market – prominently display a list of permissions the application or extension will be requesting, so you can analyse them and choose whether to install or reject. There’s a list of about twenty two different permissions that an application can use, each of which has an associated warning to alert the user ahead of time that this will occur.

So, surely this is a good thing? It is. However, a lot of people don’t really read into the decisions they make online (how many terms and conditions have you read?) and just hit the Accept button for speed. This means that seemingly innocent app can really access a bunch of differrent permissions that have been approved by the user, even though he or she does not necessarily desire the app to hold these — a modern day Trojan horse.

An Example Scenario

As Michael pointed out in one of his Q&As, Facebook requests the fine (GPS) location permission, which is described in full as so:

Access fine location sources such as the Global Positioning System on the device, where available. Malicious applications can use this to determine where you are, and may consume additional battery power.

This seems pretty dramatic, but in fact, it’s just to allow Facebook to check you into Facebook Places. When installing the application, the permissions are clearly marked out in advance, as shown in the screenshot below. Therefore, the scary orange warnings might have a legitimate reason for being accepted, so don’t immediately let them scare you off installing an app.

Permissions on the phone-side Market app install.

Of course, this doesn’t mean that, just because you know the app is requesting permissions, that it is not doing anything malicious. You could easily download a simple app or widget that requests to use paid services (like your phone) and mindlessly pass the permissions screen.

WWGD?

So, what would Google do then? It’s hard to say, since Google is already do a pretty good job at notifying users which permissions are going to be accessed. The only logical step up is to create the same walled garden effect that Apple has, with high levels of scrutiny on each app. Although this does remove the whole open source and unrestricted attraction of Google, it’s something that works and (start the hate-powered engines!) makes iOS apps that little bit safer.

In March, Google did pull 56 malicious apps from the Android Market and explained their decision on their Mobile blog. Google mentioned their kill switch as a means of remotely removing malicious apps, with shows some steps towards tightening security and monitor malicious activity on phones.

Google addressed some of the issues in a blog post in March.

Final Thoughts

Privacy is a hot topic at the moment, and we’re all focused on protecting it right now. Google has taken some nice steps to actually explain to the user exactly what an application will be requesting, meaning consumers have a little more control over an app’s usage of their handset and their data. Google has taken good steps to ensure handset security, without resorting to Apple’s method of high censorship and scrutiny. Unfortunately though, it does not seem they can go much further without introducing more censorship.

The scandals that we are seeing with our data are becoming part of everyday life are becoming too common, but they are almost becoming a necessity in order to maintain a connected life. What steps should Google be taking?