The Android security model includes a sandbox-like environment that segregates applications and makes good use of shared memory. It also puts the user in control of the device, in part by making the user accept permissions for the installation of any widget.
What do you need to know to decide whether or not you should approve these permissions? And should you care? There are many permissions, but let's take a look at some of the ones I saw when I installed a pile of widgets on my own phone.
• Services that cost you Money – This includes calling and texting, so it could cost you money by using minutes or sending text messages at your going rate. This would mostly be used by a messaging or social media widget that communicates on your behalf, like dialing back to someone who just sent you a text.
The risk is that a widget could dial a 1-900 number or other number that would bill to your phone. Or, the widget could send a text message to a number that would bill you for a text, or subscribe you to some “service” with a continuing monthly fee that is automatically billed to your credit card.
• Storage – This includes storage on your device, and enables the ability to read from, write to, and delete from your SD card and/or internal memory. If you need to store information, like digital images from your phone camera, you will need this ability. A “word processing” or notes app will need this permission so that it can store and access the information you enter. You will also need this permission to allow backups or synching of any stored data.
What’s the risk? The widget could read, delete, or potentially change any of the contents of your device’s memory. If you store any documents, images, videos, or other files that you consider private or sensitive, this becomes an interesting permission.
• Your Personal Information – This includes access to your contact and calendar data. This permission is useful if you are looking at a texting app that needs access to contact information, or an app that will synch calendars across multiple platforms. A replacement phone book app or a quick-dial app would require this permission as well.
The risk is that a widget could access any or all of your contact information. We have already seen apps in the marketplace copy information from the user’s contact database to a third party. Sharing the same level of access with your calendar exposes your personal privacy to the widget. Do you want the widget to know that you have three doctor appointments this week, or that you have an appointment with your bank, especially if your contact information includes detailed information about your contacts for those appointments?
• Phone Calls – This includes the ability of the widget to read phone state and identity. An app will need this permission if it needs to be able to figure out when you are on the phone. Some apps also use the “identity” information to enforce piracy controls and authentication to a specific device. The widget could use this information to decide when to initiate other widget functions, hence the risk.
The widget can detect when you are on the phone, turn on a voice recorder, record your conversation, and send the recorded data to someone else. Yes, that widget is out there. The identity information can be used to help consistently identify you with your location and other app information. If someone knows exactly who you are, and can see you have a steady GPS reading from 11:00 pm to 7:00 am, they probably know where your house is.
• Your Location – This includes the ability of the widget to determine your GPS location to either “fine” or “coarse” detail. If you have an app that needs to know where you are, it will need this permission. This would include apps that find local coffee shops, restaurants, or shopping, or any mapping/navigation app. Some coupon-generating widgets, or specific retailer apps, may use location to know you are in, or near, their store, so they can deliver you a “special offer” that includes a percentage off or other promotional deal.
The risk is that a widget will know where you are. Admittedly, a stalker may find it interesting to be able to find the target of their obsession. It may be just as likely that this information would be useful to know where you are not. A criminal would know when to break into your house if he knew when you were out.
• Network Communication – This includes the ability of the widget to create or change either a Bluetooth or Wi-Fi network connection. Pretty much any widget that needs the ability to communicate out of your phone will require one of these permissions. A video app might connect to Bluetooth headphones. An audible text message app might auto-connect to a Bluetooth headset. Full internet access will be necessary for any widget that needs to transfer data onto or off the device, like file synch and backup widgets. This will also be required by apps that use cloud services or connect to a remote server like newsfeeds, social networking apps, Internet radio, web browsers, and weather apps, among others.
The risk is that a widget would be able to transfer information onto or out of your device, as well as to and from outside systems. This may very well be one of the most risky permissions available, especially when paired with other permissions like Storage and Your personal information.
• Your Messages – This includes the ability of the widget to read and write text or multimedia messages. This would be required by a text message widget. The risk lies in the widget’s ability to read your sent text messages,, and potentially forward them, or send new ones without your permission.
• System Tools – This includes a series of more refined permissions that control some aspect of your phone’s basic settings. An e-reader, video player, or a game may use the prevent phone from sleeping permission so that the user can continue to use the widget without specific interaction. Modify global system settings includes the ability to change phone settings like ringer volume, notifications, and other options available under Android’s “settings” window.
The risk is that an approved widget could change these settings without your interaction, and potentially prevent you from observing a notification.
• Hardware controls - These include the ability to control phone vibration and take pictures. A game or other widget can use phone vibration as feedback. An email or text message widget can use the vibration for notification. The risk is really limited. Using too much vibration could drain your battery faster, and taking pictures could fill up your device's memory. A widget could potentially take pictures when you don't necessarily want it to, but the lens would have to be pointing at something worthwhile to make this a real threat.
• Your accounts - This includes the ability to check and see which accounts you have activated. It does not let the widget access the account, and doesn't tell the widget anything else about the account. A social engineering widget might use this permission to help decide what options are available for distribution of social communication.
Again, the risk is limited. The real risk is most likely that the widget could see what accounts are available for additional attacks or investigations.
There are plenty of other permissions, but these are the ones I have encountered so far. Unfortunately, you, the user, are ultimately responsible for doing that final sanity check to decide whether or not the permissions requested for the widget make sense. I saw a screensaver widget on the marketplace that requested Network communication - full internet access, Your location - coarse, Storage, and Your personal information. Obviously those permissions make absolutely no sense for a "screen saver." Think about the function of the widget, and for every requested permission, consider if the request is reasonable. If you have any doubts, Google the widget for details and comments from other users.
Android wants users to help control what runs on their device, so choose carefully.