Can App Permissions Be Hidden?

[maxx2496]

This is a question that has not been completely answered to me......... I am wanting to know if a developer has the ability to choose not to display the permissions needed for an app they create. For an example if there is a note taking app in the market that says no permissions needed, but in reality, it does have "internet access" capabilities not shown to the user/downloader, is that possible?????? Is it possible for App permissions to be hidden and not displayed to the user? Can someone explain to me the process on assigning and displaying permissions on android apps? please?

 

[andyzammy]

Hope not. I'd want to know exactly what an app can do to my phone. What legitimate reasons could you have for wanting to do this?

 

[Ozymandias88]

Short answer: No

Long answer:
Apps get permissions using a file in the app called androidmanifest. To access the internet the app must have internet permission added in that file. If it doesn't it can't access the internet. This file is how the market determines the security privileges the app has. So if the market doesn't Say it requires the internet it can't use it.

There is I believe one exception. Custom home and lock screens that support Widgets can bypass security settings if the custom home screen or lock screen has that permission then any Widgets they hold can also use it. I'm not totally sure about this though

 

[maxx2496]

@andyzammy. I was wanting to know for my own education. I wanted an Idea of how permissions are granted (wanted to reassure myself that downloading apps are safe).. BTW ozy, do u know if the same rules apply if a user is installing 3rd party apps not from the android market.? Thanks for Ur reply..!

 

[Ozymandias88]

@andyzammy. I was wanting to know for my own education. I wanted an Idea of how permissions are granted (wanted to reassure myself that downloading apps are safe).. BTW ozy, do u know if the same rules apply if a user is installing 3rd party apps not from the android market.? Thanks for Ur reply..!

Yep they do. As long as your using the default installer (is it even possible to swap?) you can always see the permissions granted in the androidmanifest file before you install.

Somebody who knows a bit about roms might be able to tell you if any of that changes with a custom rom on a rooted device. I don't have a lot of experience with that stuff though.

There's a good thread about permissions, if anyone is interested, here:
http://androidforums.com/android-ap...ps-avoid-viruses-guide-those-new-android.html

 

[droidicus]

I know this is a really old thread, but market apps actually can have hidden permissions. I have witnessed first hand several apps the permissions of which change after downloading from the market. For instance, the app would say no permissions on the market, then after downloading, it would say internet access and sd card storage. I'm still not really sure how this is possible though, because the market supposedly forces permissions to be shown prior to download for the safety of the user. It's a little baffling to me.
check out this thread over at droid x forum
Dishonesty in the Android Market?

 

[alostpacket]

You have witnessed first hand apps that you won't name, but give a link to another forum, with a post about someone witnessing first hand apps they wont name either...

I'm sorry, I dont mean anything personal by this, but your evidence of apps granting themselves escalating permissions is.... well isnt any evidence at all.

I have never seen apps granting themselves new permissions.

I'd wager this user (or you) updated apps without realizing the permissions changed.

Any time you update an app it has the possibility of changing permissions on you.

However the most recent versions of Android/the Market force users to manually update when the permissions change. So when you see update (manual) that's a sign the permissions changed.

 

[wayrad]

You never see root permission in the permissions list for apps that use it, just in the app description or title. Is that one not included in the manifest?

I'm guessing that whoever posted in the other forum about "hidden" permissions maybe didn't hit the "more" button to see ALL the permissions before downloading. Unless they're talking about root. I have seen one root-permission-seeking app (Juice Defender) that never mentioned root anywhere in the Market (at least back when I tried it, dunno if that's changed).

 

[kschang]

This is a question that has not been completely answered to me......... I am wanting to know if a developer has the ability to choose not to display the permissions needed for an app they create. For an example if there is a note taking app in the market that says no permissions needed, but in reality, it does have "internet access" capabilities not shown to the user/downloader, is that possible?????? Is it possible for App permissions to be hidden and not displayed to the user? Can someone explain to me the process on assigning and displaying permissions on android apps? please?

The permission request CANNOT be hidden. It's a part of the Sandbox model Android/Dalvik uses. If you don't request the permission, it's turned off in Dalvik.

In fact, Symantec just the other day posted news of an Android trojan from China pretending to be the "steamy window" app, except it changed the manifest to have a few more permissions than the real app, and in fact turns your phone into part of a botnet.

 

[kschang]

You never see root permission in the permissions list for apps that use it, just in the app description or title. Is that one not included in the manifest?

I'm guessing that whoever posted in the other forum about "hidden" permissions maybe didn't hit the "more" button to see ALL the permissions before downloading. Unless they're talking about root. I have seen one root-permission-seeking app (Juice Defender) that never mentioned root anywhere in the Market (at least back when I tried it, dunno if that's changed).

JuiceDefender will use root/su if you have it, but it CAN work without it.

Besides, root is NOT actually a defined permission in Android OS. At least not officially.

 

[wayrad]

JuiceDefender will use root/su if you have it, but it CAN work without it.

I know, but that doesn't mean they hadn't ought to tell you up front. Especially when it grabs root even if you say no.

Besides, root is NOT actually a defined permission in Android OS. At least not officially.

Yeah, I had a feeling it had something to do with Google not wanting to encourage us.

But then, this means undefined permissions can exist... Not that it really matters, if you have to hack the phone to allow them. And just because we call root a permission may not mean it is one in the same sense as the others, I suppose. I'm really not clear on the whole thing.

 

[droidicus]

You have witnessed first hand apps that you won't name, but give a link to another forum, with a post about someone witnessing first hand apps they wont name either...

I'm sorry, I dont mean anything personal by this, but your evidence of apps granting themselves escalating permissions is.... well isnt any evidence at all.

I have never seen apps granting themselves new permissions.

I'd wager this user (or you) updated apps without realizing the permissions changed.

Any time you update an app it has the possibility of changing permissions on you.

However the most recent versions of Android/the Market force users to manually update when the permissions change. So when you see update (manual) that's a sign the permissions changed.

Thanks for your response, and your concern for lack of evidence. Actually the apps are very clearly listed in bold in the first post of the thread I linked. Connect 4, G1 stock clock widget, and Abduction. And then on the 3rd page two more are listed. Silent toggle widget, and dictionary.com.

I tried it with G1 stock clock widget, it is listed as having no permissions on the market, but after you download it, if you look at the app in app manager it shows permissions for sd card storage and phone state and identity. It has nothing to do with updates. Try it for yourself and see.

 

[alostpacket]

Thanks for your response, and your concern for lack of evidence. Actually the apps are very clearly listed in bold in the first post of the thread I linked. Connect 4, G1 stock clock widget, and Abduction. And then on the 3rd page two more are listed. Silent toggle widget, and dictionary.com.

I tried it with G1 stock clock widget, it is listed as having no permissions on the market, but after you download it, if you look at the app in app manager it shows permissions for sd card storage and phone state and identity. It has nothing to do with updates. Try it for yourself and see.

Ah sorry -- guess my post came off a bit harsh. And you right the list was right there I just overlooked it thinking it was one of those text ads some forums place into posts heh. Mea culpa.

I think I know what is going on now though.

these permissions:

Storage (modify/delete SD card contents)
Phone Calls (read phone state and identity)

are added automatically to any app targeting 1.6 or below

And if you look at:
https://market.android.com/details?id=cn.bluesky.fourinaline&feature=search_result

Requires Android:1.5 and up

That's why it's adding those permissions. Anything pre 1.6 doesnt have those permissions so they get added automatically.

I suspect that either the "app manager" is displaying the wrong permissions for devices running 1.6 or later (telling you the app has permissions that it doesnt really have), or the new version of the market is failing to warn correctly about the auto adding permissions.

None of these apps have escalated their prividges by their own doing though. it's just a weird behavoir with these two privligides not being reported correctly in one of those two places.

I'll see if I can find out which one it is.

 

[alostpacket]

I'll try putting an app together tonight or tomorrow and publish it on the market under my dev account to test this. I have it request 0 permissions and try to get it to show you your own IMEI and phone #, as well as write a single text file to the SD and to delete a file named DONOTEDELETE.txt

I'll test on my nexus one running gingerbread and my Droid 1 running Froyo and post the resullts. I'll also post the source code and APK if anyone wants to take a look.

Probably wont get to this until tomorrow as I'm pretty tired but this should be a fun exercide at least.

 

[droidicus]

I'll try putting an app together tonight or tomorrow and publish it on the market under my dev account to test this. I have it request 0 permissions and try to get it to show you your own IMEI and phone #, as well as write a single text file to the SD and to delete a file named DONOTEDELETE.txt

I'll test on my nexus one running gingerbread and my Droid 1 running Froyo and post the resullts. I'll also post the source code and APK if anyone wants to take a look.

Probably wont get to this until tomorrow as I'm pretty tired but this should be a fun exercide at least.

Thanks so much for taking the time to look into this. I mean am I wrong to be a little scared when I discover apps with permissions that pop up suddenly after I download them? I just feel like with all this droid dream malware news on the rise you can't be too careful. Especially because they say the best way to protect yourself from malware is to be very wary of what permissions apps you download have access to. I look forward to the results of your tests.

 

[alostpacket]

Thanks so much for taking the time to look into this. I mean am I wrong to be a little scared when I discover apps with permissions that pop up suddenly after I download them? I just feel like with all this droid dream malware news on the rise you can't be too careful. Especially because they say the best way to protect yourself from malware is to be very wary of what permissions apps you download have access to. I look forward to the results of your tests.

No problem, it's a neat exercise for me as a dev. And sorry again for coming off harsh before.

I agree checking permissions is a good way to know more about apps, but I've always thought that the community is the best place to check.

You're not wrong to be worried, certainly something is coded wrong there. Either Android is not warning you about permissions it's granting, or it's warning you about permissions it's not granting. So there is clearly a mistake in there at least. I didn't get a chance to get to this yet, but I'll see if I can write at least some of the app before I hit the sack tonight.

 

[alostpacket]

OK it was actually pretty quick to throw it together, and your not gonna like the results

[removed market link, see source code below]

I was able to write a file to SD, delete a file from SD, Read Phone #, and read IMEI with no permission on my Nexus One running Gingerbread (Android 2.3.3) and on my Droid 1 running Froyo 2.2.2.

Full source code and un-signed apk:

http://alostpacket.com/Security_Test.zip



NOTE: I will only leave this link and app published for a short while

 

[Darkseas]

I was able to write a file to SD, delete a file from SD, Read Phone #, and read IMEI with no permission on my Nexus One running Gingerbread (Android 2.3.3) and on my Droid 1 running Froyo 2.2.2.

It read IMEI and phone # on an Intercept running 2.1.1, but I wasn't able to find the file on SD.

 

[droidicus]

OK it was actually pretty quick to throw it together, and your not gonna like the results


https://market.android.com/details?id=com.alostpacket.securitytest

I was able to write a file to SD, delete a file from SD, Read Phone #, and read IMEI with no permission on my Nexus One running Gingerbread (Android 2.3.3) and on my Droid 1 running Froyo 2.2.2.

Full source code and un-signed apk:

http://alostpacket.com/Security_Test.zip



NOTE: I will only leave this link and app published for a short while

No worries about being harsh it was just a misunderstanding. Now, since I know pretty much next to nothing about android app development, can you explain in a little more detail exactly how you programmed the app to have access to permissions that are not listed? Was it a special piece of code you put in to make them hidden?

 

[alostpacket]

It read IMEI and phone # on an Intercept running 2.1.1, but I wasn't able to find the file on SD.

The file it is supposed to write is called SecurityTest.txt or something. It should just be a tiny file that says something like "uh oh, nasa we have a problem" inside.

 

[alostpacket]

No worries about being harsh it was just a misunderstanding. Now, since I know pretty much next to nothing about android app development, can you explain in a little more detail exactly how you programmed the app to have access to permissions that are not listed? Was it a special piece of code you put in to make them hidden?

Basically I think it's a decision Google made to preserve backwards compatability of apps.

Android 1.6 added these two permissions:
- Read Phone State and Identity
- Write/Delete Files from SD

Before that apps had those permissions by default. So any app now using those permissions still has them, however It appears Google tried to warn people about the permissions through the market but didn't do a complete/comprehensive job. There are clearly some chinks in the armor.

Nervetheless, there is a silver lining to all this. Any app that uses the SDK (Software Development Kit) for 1.6 or above, will not be able to get away with hiding these as easily. And Needless to say there are so many improvement in the SDK from 1.6->2.0 that a LOT of devs have forsaken anyone running anything below 2.0 (myself included).

Eventually they will need to enforce this permission more forcefully, as there is no point in making new permissions if malicious malware writers needs only use a bit older code to get around them. However I gather Google made a judgment call as to allow for a grace period. Basically, a time when these permissions were warned about, but not enforced on, older code. I would expect this judgement call to hold true for even newer permissions added in 2.0 (deprecated*) 2.1, 2.2, 2.3, 2.4 and 3.0

So what can we do about it? Well I think the easiest way to know if an app has these two permissions, which are probably the riskiest of any new permissions, is to watch out for apps targeting 1.5.

1.6 should make it harder (but not impossible) to hide these permissions. Less than 4% of phones are still running 1.5 too, and only 6% on 1.6, the rest are running 2.1 and above, so that's a good thing to keep in mind. (source)



So anyways, I took my app down from the market, but will leave the source code up. I'm going to try and remember to update my security guide: http://androidforums.com/android-ap...ps-avoid-viruses-guide-those-new-android.html as well.

The short of it all is this: if you have a device running Android 2.0+ and you want an app that says it only requires 1.5 or 1.6, know that it may be able to write/delete/read from your SD card and it might be able to read your IMEI and phone number.

Hope that helps.

 

[droidicus]

Wow alostpacket thanks for that great info, very much appreciated! I'm still trying to fully understand this. So did those apps that had the hidden permissions have them purely by accident? Or were they programmed in purposefully. And, technically, you're saying that if a developer so desired, he could make a very innocent app that oh sayy, charts your dog's hair growth, that appears to only need permission to take pictures of your dog's hair, yet in actuality, the developer could maliciously and willingly set up the app to steal your phone #, IMEI, and sd card contents, without the user even knowing? And if so isn't this a pretty big hole in the android app system? Sorry for all the questions I just want to try to understand what's going on here.

 

[alostpacket]

I wouldnt call it an accident but more a result of a decision Google made about Security vs backwards compatibility. I didnt get to check all those apps out but I doubt they were malicious. Devs are generally good people, when you think about the fact there are some 100k apps on the market and I think less than 100 have been found to be malicious.

You're correct there is a hole there but it's a temporary one from what I gather. Unfortunately it seems it's a bit inconsistent how the market is warning people though. That's the real problem IMO. But an IMEI # and SD card contents, while they are something you want published aren't where your personl info is stored, like your contacts. This is why I think Google made the judgment call to favor compatibility over security.

Still, this is a potentially exploitable hole, and as you say some apps can appear harmless and have more nefarious purposes. So I'm pretty curious how Google will respond given the bad press they got over the DreamDroid virus just this past week.

For whatever it's worth though, that virus used significantly more sophisticated attacks to gain total control rather than to use a few hidden permissions.

So all in all, this particular security hole doesnt worry me as much as the DreamDroid stuff worries me about the Android platform in general. I'm just starting my own business (as an app developer) and for me to make money, Android NEED to do well. So I guess that's also an important thing to keep in mind. I have some bias in these matters for sure, since I'm trying to make my livelyhood off of this platform.

 

[gilbequick]

Here ya go:
Researchers Find Phone Apps Sending Data Without Notification

And a link straight to the source:
TaintDroid: Realtime Privacy Monitoring on Smartphones

TaintDroid seems to be written for a Nexus One. It would be fantastic for someone with a Nexus One to go through the top/most popular apps out there and see what's really going on.