Android simplifies app permissions so devs can sneak in malicious ones

Douglas Crawford

Douglas Crawford

June 12, 2014

App permissions are admittedly a problem with Android, because most people, on seeing a list of vaguely worded permissions dealing with concepts they poorly understand, simply hit the ’Accept’ button. It is well known that even well respected apps often ask for far more permissions than seems reasonable to then to fulfill their function (maybe app devs just don’t like being restricted), but malicious apps can abuse these to read SMS messages, make calls to premium numbers, overwrite memory cards, and a great deal more.

Although Google has made efforts to clean the more outright ‘evil’ apps out of the store, to take a greater hand in the matter would mean following Apple’s highly curated Apple Store model, something Google is not keen to do (and for which we applaud it).

Last week however, Google updated its Play Store app to change the way in which it deals with permissions, which are now grouped into categories. In some ways this is good, as it allows users to see, in a quickly grasped and easy to understand way, what sort of permissions are being granted. There is however also the danger that because permissions are hidden behind category titles, users will not look at the details (users need to select the category to see what permissions it contains).

Android permission groups

A much bigger problem however, is that (unlike previously) when an app automatically updates, it need only alert the user if new permissions are added under a new category. If new permissions are added to an existing category, the user is not alerted. This is a problem made worse by the inclusion of a catch-all ‘other’ category which could allow devs to silently add all sorts of worrying permissions without users’ consent or knowlege.

As Marc Rogers, principal security researcher at Android anti-malware outfit Lookout told Ars Technica,

‘I’m not sure users are well equipped to understand the full risk that each category could represent. I doubt as a user I would understand that the implication of that is I’m also giving someone permission to format my SD card. So there is a risk that users who have auto update on will not see this new permission of “format the SD card” come in and somebody could do something malicious.’

View permission details

You can view an app’s existing permission details by scrolling to the bottom of the update page

The change has caused something of a storm in some circles (see here, here and here).

Google explains the changes, and lists the permission groups here. It also recommends that users not happy with the changes turn off auto-updates,

‘If you want to manually update an app, you can turn off auto-updates using the Play Store app. Here’s how:

Open the Google Play Store Play Store app.

  1. Touch the Google Play Store Play Store icon.
  2. Select My Apps.
  3. Select an app.

Touch Menu Menu > If it’s not already, uncheck the box next to “Auto-update”.’



Exclusive Offer
Get NordVPN for only
Get NordVPN for only