You’ve just been checking the pages of your favorite app store and downloaded a new bunch of awesome apps to spice up your phone. BUT…
That funny picture app you want with the dog ears effect is asking to screen your calls and read your contact list?
That new organizer calendar app wants access to your camera and microphone?
And for some reason, that text editor needs to know your location, at all times.
In the eyes of many users, today’s breed of mobile applications seem to make unreasonable demands before allowing you to install them – demands that may be hiding malicious intentions.
Surely, software should be able to do its job without asking you to give it ultimate permissions on your phone, as some of the more extreme app permissions seem to do?
Android has grown over the last decade to become the most popular computing platform on Earth, and it’s an open source project.
However, the version of Android you get on most smartphones is bundled with proprietary components, some of which plug into advertising services.
It can seem intimidating, but you can gain some mobile privacy with a few quick tweaks.
Introduced several years ago, Android’s app permission model lets you block apps from accessing certain system features.
When apps open for the first time, many of them will ask for permissions (storage, camera, microphone, location, and so on).
You can deny them at that time, but some apps might refuse to start if you deny necessary permissions.
But not all App Permissions are bad, some of them are necessary for the app to work.
Good Reasons to Ask:
In an “ideal world” scenario, the requesting and granting of app permissions is designed to ensure that a piece of software is given the user, data, and system access it requires to do its job properly.
“Your personal information — read/write your contacts”: A messenger app or email contact would logically need to make this claim.
“Your precise location — GPS and network-based location”: A geographical mapping application or any app that needs to pinpoint your location (e.g. to provide guidance round the room, for the visually impaired) would be expected to ask for this permission.
“Services that cost you money — directly call phone numbers”: Dialer applications (including voice-activated ones) would need to be allowed to do this.
Bad Reasons to Ask:
On the flip side are those mobile apps whose permission lists include requests for access or functionality that have little or nothing to do with the software itself, or its stated purpose.
In the best-case scenario, this may be the result of poor design or development practices, and/or the misinterpretation of the demands of the operating system that an app has been designed for.
More commonly (and unfortunately) however, the request for extensive or intrusive permissions may be down to some ulterior motive, on the part of the app developer or their sponsors. Data-mining operations for marketing and advertising networks, or even for more sinister purposes such as fraud and identity theft may be one motivation.
Giving permission for an app to perform operations that can provide access to user credentials, personal documents and images, personally identifiable or health information throws these resources open to abuse at the hands of blackmailers, extortionists, identity thieves, and cyber-criminals of all kinds.
And permissions that grant an app deep system access are a great ruse for the installation of malware, spyware, and the hijacking of systems.
Some red flags might be raised by the following:
“Your personal information — Modify/delete SD card contents”: An app with this permission may read, write, delete, or alter documents and files on your device’s external storage. It could easily install malware without your knowledge.
“Network communication — full network access”: This grants an application free access to the internet (using your device’s data connection, or WiFi), to upload or download data as it requires. A potential route for streaming in advertising or push notifications, and streaming out information to external parties.
“Phone calls — read phone status and identity”: Your phone status (incoming call, etc.) may be relevant to how an app behaves in the foreground – a game or video might automatically pause, for example.
Your device identifier may be revealed to an app without exposing any of your personal information. But your IMEI number (the identifier which the phone company uses to associate your device with your particular name, address and other information) is another matter. Many apps ask for this permission (which includes all of these identifiers), and many of them abuse the privilege of getting it.
Before installing an app, take the time to read through all the blurb associated with it at the app store,
This includes the permissions list, Terms and Conditions, and the user reviews and comments – which are often enough in themselves to help your decision to install it one way or another.
Those few minutes you spend reading may save you from weeks or months of regret, later on.
When going through the permissions list, use logic and common sense.
Should a flashlight app really need to write data to your external storage? Why should a photo editor ever need to make a phone call? And so on.
Here in Scorpiones, we educate your organization for information security awareness, we protect your network, computers and mobile phones, but as well giving you the tools to protect yourself from upcoming attacks.
If you are creating an app and wish to know how safe it is, let us do the Mobile Penetration Testing for it, it could save you and your company a lot of money.