Android App Permissions Changes Made by Google Criticized by Security Experts
Google has recently made changes to the way permissions for Android applications are displayed, but experts warn that the modifications make automatic updating of mobile applications riskier than before.
Under the new format, permissions requested by Android applications are organized into groups to simplify the installation process and help users make informed decisions about whether or not they want to install a certain app, Google developers noted.
The problem, as highlighted by many security experts, is the fact that if a user gives an app access to a certain permission category, when the app is updated, it can start using other permissions in the same category without informing the user.
For example, if an application needs to read text messages, the user must give it access to the “SMS” permissions group. If the app is updated, it can automatically access all other individual permission in the “SMS” group ─ such as edit text messages, send SMS messages and receive text messages ─ without the user being notified.
Furthermore, Google has decided to remove network communication permissions from the primary permissions screen on the basis that most apps need access to the Web in order to work. The company said it was removing apps that violate Google Play policies, and noted that systems are in place to protect users against potentially harmful elements.
Georgia Weidman, the CEO of Bulb Security, told SecurityWeek that the changes are a “step in the complete wrong direction.”
“Most users don’t really care about permissions anyway, but it seems a red flag to me that if you’ve accepted something in a certain group you don’t get notified of additional permissions in that group on update,” Weidman said.
“Google hopes to solve the problem of apps not autoupdating by grouping permissions into categories. But you risk apps being able to silently add new permissions when they update,” Marc Rogers, principal security researcher at Lookout, told SecurityWeek in an emailed statement. “Under the new system Google will only notify users if an app requests permissions in a group the user hasn’t already accepted. People need to understand that they are essentially allowing all permissions in a given category.”
“Right now the best advice to users who are concerned about permissions is that you should go into the Play store and change the settings for apps to turn off autoupdate for any app that you do not implicitly trust,” Rogers said. This way the app has to be manually updated and you get a chance to check its permissions with each install.”
There are also several threads on Reddit highlighting the negative impact these changes have on security and privacy.