Android permissions explained, security tips, and avoiding malware

[alostpacket]

Great post and thank s for starting it alostpacket. Also thanks to Roze, you have been helpful.
I have been worried too about how some apps ask for more permissions than they seem to need. I have just a few statement/questions.

1. When I did a search on

 

[larryfroot]

An excellent post and greatly appreciated!

 

[macgiobuin]

Thanks for the info! I didn't understand some of it, because I don't know the "lingo" for computers/phones. Maybe a brief glossary to define those terms? (SMS, ROM, root, etc.)

 

[sulbigar]

I'm about to purchase my first droid and this post was a great eye-opener. Thanks a lot.
Will post queries when I get to play with the device.

 

[Baz8755]

Hi,

I recently downloaded Wordwise free and when it ran it asked for permanent access to my googlemail account. I couldn't get past the screen without accepting this.

I uninstalled the app but am now wondering exactly what it would have had access to (eg. would it be able to get my googlemail password or infiltrate my account).

Anyone had experience of this app or other apps asking for googlemail access

 

[Roze]

Hi,

I recently downloaded Wordwise free and when it ran it asked for permanent access to my googlemail account. I couldn't get past the screen without accepting this.

I uninstalled the app but am now wondering exactly what it would have had access to (eg. would it be able to get my googlemail password or infiltrate my account).

Anyone had experience of this app or other apps asking for googlemail access

I really don't know but checking the permission list...it's intense for a basic game app.

• android.permission.ACCESS_COARSE_LOCATION
• android.permission.ACCESS_NETWORK_STATE
• android.permission.CALL_PHONE
• android.permission.CHANGE_NETWORK_STATE
• android.permission.GET_ACCOUNTS
• android.permission.GET_TASKS
• android.permission.INTERNET
• android.permission.MANAGE_ACCOUNTS
• android.permission.READ_CONTACTS
• android.permission.READ_PHONE_STATE
• android.permission.USE_CREDENTIALS
• android.permission.VIBRATE

Those are way too many permssions needed for a simple word game. Some are self explainatory but the others are simply questionable. You can email the developer to see what he/she has to say and explain what the app needs all these permissions.

Good to hear that you uninstalled the app, it's just way too suspicious imo.

Only app I use that I remember asking for my gmail credential is Appbrain, but it requires that since it needs to know what apps you have on your phone.
This is the alert you get when you log into appbrain via your google account

AppBrain uses Google Accounts for Sign In.

[SIZE=-1]Google is not affiliated with the contents of AppBrain or its owners. If you sign in, Google will share your email address with AppBrain, but not your password or any other personal information. [/SIZE]
[SIZE=-1]AppBrain may use your email address to personalize your experience on their website. [/SIZE]

 

[alostpacket]

Yeah there is really no reason I can think of that a scrabble knock-off should need the ability to manage your accounts. I'd be hesistant to give it half of those permissions but that one sticks out as absolutely not necessary.

I'm with Rose on this one, in my opinion, skip this app.

 

[elchamber]

Great post. I really wish I found and read it before I went crazy downloading free apps. I actually stopped using my phone's Facebook app, since the contact information from my Facebook friends were listed on my contacts. So the same goes for them. Now I'm worried that, if they have my contact info, I would be now available to get spam via text message if they downloaded an app that grants them access to their contacts.

It would explain why I've been getting these strange texts asking me to get a premium SMS. Then again, it could be those apps I downloaded.

Anyways, again great posting.

 

[alostpacket]

Thanks elchamber, also feel free to post a list of apps in one of the support forums and ask about your problems, sometimes people here can help you spot what's wrong. These types of forums are a great place to get help/info/advice.

 

[udik]

Folks I like this post, but I do have some reservations. All of my apps (free and non-free) are FREE of adds and safe, not all of them have 4-5 stars, mostly because people won't give you good review if they like your app, only bad one if they don't have one...

 

[alostpacket]

Edit: Sorry, but I'll have to say I dont appreciate you promoting your app in this thread. You make somewhat of a good point that's on topic, but having seen you posting something similar all over the other android community forums, as well as several other posts just to promote your app, I'm suspicious that you even care about this thread or what you said other than as a chance to promote your app.

I sincerely hope I'm wrong, and there is nothing wrong with a little app promotion, (heck I do it all the time) but this is not the thread for it. Please show a little more respect and decorum. Perhaps you could consider editing out references to your app and making an announcement in the Applications Announcements forum.


Anyways, here's my original reply:

====

You make a good point, and I've considered putting a bit of a disclaimer in that part, but all I was saying is that any app with less than 3 stars is not worth your time, anything above that is a judgment call, and of course this post is my opinion as well. I too struggle to get good reviews as an app dev when the only people who tend to want to review my app have some obscure FC, and uninstal my app never to check back that I fixed it.

So I hear where you are coming from and let me stew on some ways of updating the guide to reflect something a bit more flexible with regards to ratings.

Mostly my goal was to steer people to communities such as this to get info. Since to me, that's the most reliable source.

 

[alostpacket]

added the following permission:

Development Tools read logs
This permission is of very high importance. This allows the application to read what any other applications have written as debugging/logging code. This can reveal some very sensistive information. There are almost no reasons an applications needs this permission. The only apps I might grant this permission to would be Google apps.


Source:
Vimeo, Video Sharing For You

Thanks to a Slashdot reader R- for pointing me to the info

 

[Jayess1]

Thanks, ALostPacket, for the advice on this thread and for all the good stuff in the forum.

 

[Roze]

All of my apps (free and non-free) are FREE of adds and safe, not all of them have 4-5 stars, mostly because people won't give you good review if they like your app, only bad one if they don't have one...

I've seen many comments saying how great an app is mix in with issues the app is having. I've comment in most of the apps I use rating that it's good as well as bad. If your app is really good, then the good comments will outweight the bad ones is what I believe.

 

[alostpacket]

I've seen many comments saying how great an app is mix in with issues the app is having. I've comment in most of the apps I use rating that it's good as well as bad. If your app is really good, then the good comments will outweight the bad ones is what I believe.

His app had 5 stars and two ratings, (one from himself) and he posted that message on other forums (but it looks like they removed it). I'm pretty sure he was just spamming.

He's somewhat right though -- I've had people encounter a bug, rate my app 1 star, uninstall it, and then never look back despite the fact I fixed their bug two days later.

I've also had commenters incessantly keep editing their comment until their specific phone/feature worked correctly (when you edit a comment it appears at the top again). I nearly reported the guy to Google.

I've also had the opposite where someone comes back to change their rating to 5 stars when their bug got fixed.

Still, frustration can often push someone to comment, but mere satisfation is not as strong a motivator. However, in general the rating systems reflect that for ALL apps. That's why even the best apps only have 4.5 stars at most.

So it all evens out in the end, and the ratings system is still valuable because enough good people will rate regardless. It's just important to think of it as grading on a curve. That's why I figure anything below 3 stars is not worth the time. The Market will only show you as having 2.5 stars if your average rating is below 2.75. It rounds to the nearest .5

 

[Roze]

He's somewhat right though -- I've had people encounter a bug, rate my app 1 star, uninstall it, and then never look back despite the fact I fixed their bug two days later.

That's tough luck but that's how people operated. Kudos to you fixing the problem quickly but by fixing the issue, you got more people to install your app.

I've also had the opposite where someone comes back to change their rating to 5 stars when their bug got fixed.

Still, frustration can often push someone to comment, but mere satisfation is not as strong a motivator. However, in general the rating systems reflect that for ALL apps. That's why even the best apps only have 4.5 stars at most.

No system in the world is perfect. I usually email the dev personally about an issue I have since I know quite a number of devs don't read the comment section and I would like to know what actions they'd take. Also...there's a character limit on the comment section, so it doesn't really tell the dev much of the issue. Though having been a beta tester for some apps, this is just the way I've done it, lol. If you don't reply to my email within in the week and the app wasn't updated to fix the issue...I'd post a one star and say how bad the dev's support is :/

So it all evens out in the end, and the ratings system is still valuable because enough good people will rate regardless. It's just important to think of it as grading on a curve. That's why I figure anything below 3 stars is not worth the time. The Market will only show you as having 2.5 stars if your average rating is below 2.75. It rounds to the nearest .5

That is interesting but I guess that makes sense. You don't want to over inflate the quality of the app.

 

[Lare]

Thanks VERY much , Roze and (especially) alostpacket. This has been a really useful thread for me, too. One question I did not see answered (although I may have missed it in almost 200 postings): If I uninstall an app, is it really, truly gone or--like Windows--could malware have left disguised bits of itself behind to cause me problems/continue keylogging/etc?

 

[Maxib]

Thanks Alostpacket, great post which taught me more in a minute than I learnt spending hours googling it. I'm currently worried about an app I downloaded (doubletwist) simply because of the amount of permissions it wanted and I couldnt understand, even though it has loads of great reviews from people. I'd be quite interested in a reply to Lare's question about uninstalling too.. Thanks again for the post!

 

[alostpacket]

Doubletwist is pretty popular, I wouldn't generally worry too much about it.

As for uninstalling an app, yes it's pretty much gone after you uninstall it. There have been some reports of the ability to stealth install apps without permission from the user but those vulnerbilities were patched pretty quickly as far as I recall. I'll try and remember to dig a littlle deeper on the subject in the coming days/weeks and see if I can locate the sources of that info. Unfortunately right not I'm furiously working on my own app, as well as a second app to be released soon, so I'm pretty busy currently.

But generally speaking, it's safe to assume an app is gone once un-installed. If someone got really worried they were infected though, you can always do a factory reset and that should clear any and all apps. I would only advise that as a last resort for someone who is sure they have malware or some app that's mucking things up (maybe unintentionally).

 

[SpaceDementia]

I've noticed a couple of apps I've downloaded (Adao File Manager and FX Camera for instance) ask for permissions when they install however when I look at there permission in "Manage Applications" they are different to what they requested.

For instance, Adao File Manager only asks for Internet Access but after I installed it I noticed it actually could read my phone state and delete/modify my SD. Which is pretty obvious for a file manager to be doing.
So why didn't it state this in the market permissions?

 

[Lare]

I've seen the same thing with other programs. The program "silent toggle widget" by droidmania says it requires NO special permissions when you look at it in the Market.

But if you install it and check Settings>Applications you'll see that it too has a "Modify SD card contents." This makes me uncomfortable.

 

[its_me]

I just got an android phone so im new. My question is if an app needs full access to the internet can it get info i use to login to different accounts on my phone? (user name & password) Also do you know if the app Lookout is good at avoiding all of these different things. My appologies if these questions have been answered.
Thank you.

 

[Cherelle]

Excuse me, how do you know when you have a virus.Because I new to it as well and I have download a few apps (like about 4 in total) and I do remember 2 of them saying it needs full internet connection. How would I know for sure?

 

[allambition]

Great all around description of security on Android - thank you so much for this. Some of it I already knew but some of it I was reading for the first time. Thanks for putting all this information in one place, its very useful and hopefully there isn't too many security issues with Android going forward. I love that its based on Linux, it gives it a solid core to build upon.

 

[alostpacket]

An app with full internet access does not mean it can log what you type. Only keyboards can do that.

That's why I NEVER use a keyboard with full internet permissions - that's the combination to avoid.

But I used to get confused when I saw the standard message that comes up when first enabling any new keyboard - it says the app can get my passwords, credit card info, etc. But that is a standard Google message for all keyboards. Only worry if it's combined with internet permission - otherwise it can't send it anywhere even if it did log my keystrokes.

That's not entirely true, but good as a general rule.

There are ways of sending data without the internet permission but I wont go into them here. And they are holes Google is trying to close (as far as I know).

The best thing to remember is to use the community to help judge things.

To whoever was asking about Lookout Mobile: I think they're a pretty good company even if they do exagerate threats (in my opinion).

I'd probably choose them over the other AV if I used AV.