funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Play Store Permissions Change Opens Door to Rogue Apps

From: Paul Ferguson <fergdawgster () mykolab com>
Date: Wed, 11 Jun 2014 06:45:14 -0700
Well, that's a little disturbing. :-/

I didn't think that I could actually trust my Android mobile phone
less... congratulations, Google.

- ferg


On 6/11/2014 5:33 AM, Jeffrey Walton wrote:


http://www.xda-developers.com/android/play-store-permissions-change-opens-door-to-rogue-apps/

XDA is normally about the latest and greatest. Whether we’re talking
about the latest firmware revision or device, most people in the
Android tech community favor being on the bleeding edge. Sometimes,
however, the latest isn’t necessarily the greatest or the best way
forward. As we recently covered here on the XDA Portal, Google
released a new version of the Play Store, which among other things,
allows the use of PayPal to purchase apps and simplifies the
permissions interface shown to users.

Under this happy facade, however, is a somewhat more sinister change.
The permissions system in Android, which has protected users since
Android hit consumer devices in 2008, was significantly (and fairly
quietly) watered down by Google in this Play Store update. Previously,
when an application update requested additional permissions, users
would be notified and have to accept the change before updating. This
continued when automatic updates were introduced, as applications with
permission changes would require a manual update and approval of the
new permissions.

This system worked fairly well. If an app changed its permission
needs, you’d be notified, and could choose whether to accept the
update. With the most recent Play Store update, however, users are not
told about certain permission changes if they don’t result in the
addition of permissions to a new group. Given the sheer breadth of
permissions a group now covers, this effectively leaves Android with
only 13 permissions. An application can quietly update itself in
future, to grant itself access to further permissions within a group,
with the user left none the wiser.

Once an app is granted an individual permission within a group, that
application has the ability to add any other permissions from the
group in a future update, without users being notified of the change.
To quote Google:

    You won’t need to manually approve individual permissions
    updates that belong to a permissions group you’ve already
    accepted.

For example, contacts and calendar permissions are now grouped into
one. An app with the ability to read your contacts could, without you
receiving clear and prominent notices, add calendar permissions to the
group. This would allow the application full access to snoop through
your calendar, and even send Emails to calendar appointment guests,
without your consent.
...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.




-- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: