read_phone_state = Market FAIL!

[coala_the_second]

android.permission.READ_PHONE_STATE (listed in Market as Phone calls - read phone state)
is a permission that grants the application to read your IMEI (unique cell phone serial), Phonenumber, Serial of the SIM-CARD, and many more.
(For more information or Screenshots what it can do, see app "permission.READ_PHONE_STATE" in Android market)

Now, if this can be a major privacy-breach since the Developer is able to know who is using his app in person (by looking up the phone number, e.g.), or connecting user habbits over several apps to another, one could think: okay, then i won't install apps with this permission anymore.


And here comes, what i discovered within Android market:

3G Watchdog, AndroidPIT, Ethereal Dialpad, File Explorer, Ghost Commander, Google Sky Map, GPSies, Graviturn, Gym Babes, Hypnotoad to go, Mystique, My Tracks, PDF Viewer, Robo Defense FREE, Vampires Live, WikiDroyd and Worldtour

to name just a few recognized ones, are able to install this permission without it being listed by Android Market!

Not only this, some of them also install with WRITE_EXTERNAL_STORAGE (normaly listed as "Storage - Modify or delete SD card contents" in Market e.g.: read and write all your SD-Card data) as well!

(Please note that at least 2 of them are by Google itself! (My Tracks and Sky Map))


Now, one could think, maybe the Application needs the permission for not being properly coded; But at least Vampires Live, seems to use the secretly installed permission to recognize you, once you uninstalled and install again.


Not all of the apps have internet-access, though. But Market message says when updating:

"The application xxxx will replace the currently installed xxxx.
Existing user data will be saved."

That leaves room for interpretations. It could mean your data will be preserved - "stay saved" would be the better phrase there imo-, but it could also mean it will collect your data when updating. But i don't know. Anyone?


Of these Market fails i could name you a few dozen more, but i would be glad to hear of your experiences, and if you can second mine!

How to view permissions within market: View installed or desired application -> press Menu-Key -> Security
When installed on phone, on Homescreen: press Menu-Key -> Settings -> Applications -> Manage applications -> select the one and scroll down

 

[KlaymenDK]

Welcome to the forum!

I'm not sure I follow you.

To test, I just installed Ethereal Dialpad. It installed without asking for any kind of permissions. When I go into its Market listing on my phone (Market->Downloads->Ethereal Dialpad) and select "Security" from the menu, it does not list any permissions.

Are you saying that even so, this app does have the READ_PHONE_STATE permission? How did you detect that? I would like to try and reproduce this.

 

[UncleMike]

I remember reading a while back about two (I think) permissions that may be granted to apps, when the permissions don't appear during the installation process, and that this "problem" was a result of backward compatibility with older versions of Android (maybe 1.5 and lower?). Does this ring a bell with anyone?

 

[KlaymenDK]

Heyy, that does ring a bell.

My Google-fu is weak today, so I only found this brief mention:
android-developers - Are there default permissions added to apps?

I'm certain there was some "official" discussion about it, on some Android blog, but I can't find it now.

 

[coala_the_second]

Welcome to the forum!

I'm not sure I follow you.

To test, I just installed Ethereal Dialpad. It installed without asking for any kind of permissions. When I go into its Market listing on my phone (Market->Downloads->Ethereal Dialpad) and select "Security" from the menu, it does not list any permissions.

Are you saying that even so, this app does have the READ_PHONE_STATE permission? How did you detect that? I would like to try and reproduce this.

Yes! To check the permission after installation:
press Menu-Key -> Settings -> Applications -> Manage applications -> press on Ethereal Dialpad -> scroll down

You can also use the app aspotcat for it (very useful!)


And thanks much about the link, i'll read into that!

Please more opinions! (i know i wrote a little much)

 

[wmtoandroid]

Guys, please stop being so paranoid and pointing the finger at apps that ask for certain permissions. I'll try to make a long story short...

When you program for Android, you need to tell the app that certain permissions are required to perform certain tasks. If the programmer does not ask for these permissions, then his app won't work.

The READ_PHONE_STATE permissions encompasses so many things that you can't assume that it's there to read your phone number. It could be added there to make sure that you have a live internet connection or to check that your device has a phone signal, etc. Unfortunately, you don't actually know why the permission is being asked, but even if it was laid out, most people wouldn't understand it anyways!

The WRITE_EXTERNAL_STORAGE permission is another one that you shouldn't be paranoid over... it simply requests permission to write to your SD card, perhaps to write temporary files (e.g. cache files) or to store user data there.

I could probably name 100 reasons why the apps you listed call for certain permissions, but again, it can get technical in a programming sense.

I suggest installing apps that are trusted and well reviewed and not sweat so much when certain permissions are being asked. If there is a concern, contact the developer instead of pointing fingers. This "calling out" on apps, really damages the Android images because people get all worried for no reason.

 

[Szadzik]

I suggest installing apps that are trusted and well reviewed and not sweat so much when certain permissions are being asked. If there is a concern, contact the developer instead of pointing fingers. This "calling out" on apps, really damages the Android images because people get all worried for no reason.

Cannot agree more!

 

[A.Nonymous]

The OP has a point with some of the apps at least. When I installed Google Sky Maps, it asked for my GPS location and System Tools permissions. I have no issues with either of these permissions. It needs my GPS location to find out where I am so it can show me where the stars are. It needs the System Tools to keep the phone from sleeping while I'm looking at the stars. No problem there.

However, when I install it and look at the permissions, it has two permissions I didn't grant it on install - Modify SD card contents and Read phone state and identity. I have no real issues with the app having either of these permissions. I have issues with them having these permissions without me having to explicitly grant them.

 

[wmtoandroid]

I have issues with them having these permissions without me having to explicitly grant them.

I've been digging around to see if there are any answers to this and for Google Sky Maps specifically, I can't find any other external reference to the "WRITE_EXTERNAL_STORAGE" permission, other than what we see in the Manage Applications app.

According to the Google Android development documentation on permissions, any permissions that haven't been prompted during installation will not be granted. This would mean that although we see the permission for writing to an external storage listed, it's not actually being used.

I would say it's a bug in the app for reporting that permission (I've found a bug in the Android OS that gives wrong dates for birthdays that are correct in other apps).

IF we can prove that this is not a bug and the app IS writing to the SD card, then the developers need to be contacted as well as Google, to file a bug report.