funsec mailing list archives
Re: Play Store Permissions Change Opens Door to Rogue Apps
From: Paul Ferguson <fergdawgster () mykolab com>
Date: Wed, 11 Jun 2014 06:45:14 -0700
Well, that's a little disturbing. :-/ I didn't think that I could actually trust my Android mobile phone less... congratulations, Google. - ferg On 6/11/2014 5:33 AM, Jeffrey Walton wrote:
http://www.xda-developers.com/android/play-store-permissions-change-opens-door-to-rogue-apps/ XDA is normally about the latest and greatest. Whether we’re talking about the latest firmware revision or device, most people in the Android tech community favor being on the bleeding edge. Sometimes, however, the latest isn’t necessarily the greatest or the best way forward. As we recently covered here on the XDA Portal, Google released a new version of the Play Store, which among other things, allows the use of PayPal to purchase apps and simplifies the permissions interface shown to users. Under this happy facade, however, is a somewhat more sinister change. The permissions system in Android, which has protected users since Android hit consumer devices in 2008, was significantly (and fairly quietly) watered down by Google in this Play Store update. Previously, when an application update requested additional permissions, users would be notified and have to accept the change before updating. This continued when automatic updates were introduced, as applications with permission changes would require a manual update and approval of the new permissions. This system worked fairly well. If an app changed its permission needs, you’d be notified, and could choose whether to accept the update. With the most recent Play Store update, however, users are not told about certain permission changes if they don’t result in the addition of permissions to a new group. Given the sheer breadth of permissions a group now covers, this effectively leaves Android with only 13 permissions. An application can quietly update itself in future, to grant itself access to further permissions within a group, with the user left none the wiser. Once an app is granted an individual permission within a group, that application has the ability to add any other permissions from the group in a future update, without users being notified of the change. To quote Google: You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted. For example, contacts and calendar permissions are now grouped into one. An app with the ability to read your contacts could, without you receiving clear and prominent notices, add calendar permissions to the group. This would allow the application full access to snoop through your calendar, and even send Emails to calendar appointment guests, without your consent. ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Play Store Permissions Change Opens Door to Rogue Apps Jeffrey Walton (Jun 11)
- Re: Play Store Permissions Change Opens Door to Rogue Apps Paul Ferguson (Jun 11)