Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android’s New App Permissions Setup Raises Red Flags

Android App Permissions Changes Made by Google Criticized by Security Experts

Google has recently made changes to the way permissions for Android applications are displayed, but experts warn that the modifications make automatic updating of mobile applications riskier than before.

Android App Permissions Changes Made by Google Criticized by Security Experts

Google has recently made changes to the way permissions for Android applications are displayed, but experts warn that the modifications make automatic updating of mobile applications riskier than before.

Under the new format, permissions requested by Android applications are organized into groups to simplify the installation process and help users make informed decisions about whether or not they want to install a certain app, Google developers noted.

The problem, as highlighted by many security experts, is the fact that if a user gives an app access to a certain permission category, when the app is updated, it can start using other permissions in the same category without informing the user.

Android Permissions“Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted,” Google explained.

For example, if an application needs to read text messages, the user must give it access to the “SMS” permissions group. If the app is updated, it can automatically access all other individual permission in the “SMS” group ─ such as edit text messages, send SMS messages and receive text messages ─ without the user being notified.

Furthermore, Google has decided to remove network communication permissions from the primary permissions screen on the basis that most apps need access to the Web in order to work. The company said it was removing apps that violate Google Play policies, and noted that systems are in place to protect users against potentially harmful elements.

Georgia Weidman, the CEO of Bulb Security, told SecurityWeek that the changes are a “step in the complete wrong direction.”

“Most users don’t really care about permissions anyway, but it seems a red flag to me that if you’ve accepted something in a certain group you don’t get notified of additional permissions in that group on update,” Weidman said.

Advertisement. Scroll to continue reading.

“Google hopes to solve the problem of apps not autoupdating by grouping permissions into categories. But you risk apps being able to silently add new permissions when they update,” Marc Rogers, principal security researcher at Lookout, told SecurityWeek in an emailed statement. “Under the new system Google will only notify users if an app requests permissions in a group the user hasn’t already accepted. People need to understand that they are essentially allowing all permissions in a given category.”

“Right now the best advice to users who are concerned about permissions is that you should go into the Play store and change the settings for apps to turn off autoupdate for any app that you do not implicitly trust,” Rogers said. This way the app has to be manually updated and you get a chance to check its permissions with each install.”

There are also several threads on Reddit highlighting the negative impact these changes have on security and privacy.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.