Saturday, October 19, 2013

Android Permissions: what you should look for before clicking Accept

Chase Mobile
I don't intend to single out these apps in this post for their use of these permissions, as it seems that most android apps ask for and receive too many permissions when the apps are installed.

The Chase online banking application needs some permissions to enable some of the features of the app. This app allows the user to deposit checks using their phone and locate an ATM branch using GPS and mapping output. The app also initializes the dialer to auto-enter (but not dial) the support service.
These features seem useful and sure, they need to access the GPS, network, camera, and phone dialer.
but some other permissions seem to be out of the scope of normal banking and may not even be associated by user initiated features of the software.  which make me wonder what features they have actually use them:
- Disable screen lock: This one is strange. If they can disable the screen lock they can certainly 'spoof' a screen lock once the normal one had been disabled.
- Mock location sources for testing: One could imagine this could be used to tell the user that they are somewhere they are not.
- Take Pictures and Videos: Maybe these permissions are bundled, but should they? Taking a single photo to deposit checks is one thing, but a video seems to be too much
- Your Social Information: Modify contacts, read call log, read contacts, write call log. I can't imagine a legitimate use for any of these. Maybe if "modify contacts" is to include "add contact" if they want to push a Chase contact into my address book, maybe. But the rest sound like clear overreach.
Chase Mobile Branch Locator

Chase Mobile EULA

Super Bright LED Flashlight is an App on the Play marketplace that turns your Android smart-phone into a flashlight by turning on/off the flash LED that is built in for use with camera. The only features  or functionality/features I noticed are:
  • On/Off slider
  • The ability to 'blink' 
  • Super Bright LED Flashlight
  • Sound feedback on/off switch
  • Banner ads on the bottom
  • Reminder to rate the application
To be completely honest I found this app to be useful and fun to use. The slider graphic and ability to switch into blinking mode were not very useful but it made it a well rounded application more than just an on/off button for an LED.
However, even though I was happy with the features it gave me I am still a bit confused why it needs so much access to the phone itself. I'm guessing this has to do with how the application was built, rather than to provide functionality to the features that are given to the user. And since all I really wanted was a flashlight- pretty much anything besides access to the camera shouldn't be asked for, right?

 Storage: Modify or delete the contents of your USB storage
 User Features: I'll venture to guess this could be to save and load the status of the settings for the flashlight such as the blink setting or the sound on/off.

Your Location: Approximate location (network-based), precise location(GPS and network-based)
When I saw this feature in the list prior to first installing the app I thought maybe it was to link to where I was using the flashlight, or maybe while I'm using flashlight I can snap a pic? Now I'm guessing at best must be linked to the ads that appear, and at worst to track where I'm using their app.

Camera: Take pictures and videos
Just like with the chase app it seems this permission is linked to all possible functions of the camera. It doesn't even mention turning flash on-off but it must be part of the camera controls and is therefore linked to this explicit permission.

Your applications information: Retrieve running apps
I can't understand why a flashlight app would need to know what other running apps are loaded. Maybe there is a feature that tracks usage of the apps to gaugue how much power usage is being drained over time to let the flashlight know when it should turn off? The app doesn't appear to have this feature but I can't say I have used it while the phone has been running out of power to know for certain. The only reason I can guess if it is not a feature it is something to track the users habits for sale or use by the people distributing this app.

Phone Calls: Read phone status and identity
This one is also confusing. Why would a flashlight need to know if the phone is in use or who is using the phone? These two permissions are probably bundled, as we have seen with the Camera, so maybe one of these has a legitimate use. I must guess that the flashlight wants to turn off if a call is coming in (or flash, or something) which would be a good feature to have so the flashlight doesn't burn the battery when the user is on the phone.

Network Communication: Full network access
Most flashlights I have used in the past have not had access to communication networks. On the face of this permission it seems very obvious at this point they are not simply providing a free flashlight for you. They want you to provide feedback, click ads, and possibly send more data for them to use or sell.

System Tools: Modify system settings, test access to protected storage
As with most of the other permissions it is not clear what you are allowing the application to do. As we noticed before there are some permissions not explicitly granted in the permissions dialog, but are assumed implicity by the Android operating system. For this permission it is very unclear what the application may be doing to require this permission or what this permission really means. If we look at just these two permissions we have to assume that this app can change brightness settings, network settings, sync settings, and any other settings in the settings panel- possibly installing and uninstalling software they have decided (anti-virus, etc). This appears to be a security hole and I can't even imagine what the flashlight needs from this setting. The second setting is just as bad. The app is testing access to protected storage- possibly to check if the app can do something and get away with it without causing the operating system or anti-virus to flag the behavior.

Affects Battery: Control flashlight, prevent phone from sleeping
I got through all these settings, giving the benefit of the doubt to this app that they simply want to control the flashlight and maybe they are doing some tricks to get that to work- such as accessing the camera or possibly some system settings. It seems that is not the case.

This app wants to do a lot more than provide a free flashlight- it wants to control your phone.

Flashlight Permissions 
Even more Flashlight
Flashlight Rating Reminder

3 comments: said...

You know the flashlight app was just revealed to be mass spyware for android right? It's ironic that it was discoverd not too long after you posted this article.

Also in the news google android just removed a feature in 4.3 to modify these permissions, saying that its inclusion in 4.3 was 'accidental'. So apparently google wants programs to hijack our smartphones because why else would they remove that feature?

Anonymous said...

FYI, it looks like the permissions for Super-Bright have been scaled WAY back. It only asks for permission to the camera and mic now. Still don't know why it needs that, though.

Lars said...

The second setting is just as bad. The app is testing access to protected storage- possibly to check if the app can do something and get away with it without causing the operating system or anti-virus to flag the behavior.

Actually, "test access to protected storage" just means the app has requested the READ_EXTERNAL_STORAGE permission, e.g. to read files from a microSD card or a USB drive. Nobody seems to know why Google labels that permission as "test access to protected storage" to users.