No worries about being harsh it was just a misunderstanding. Now, since I know pretty much next to nothing about android app development, can you explain in a little more detail exactly how you programmed the app to have access to permissions that are not listed? Was it a special piece of code you put in to make them hidden?
Basically I think it's a decision Google made to preserve backwards compatability of apps.
Android 1.6 added these two permissions:
- Read Phone State and Identity
- Write/Delete Files from SD
Before that apps had those permissions by default. So any app now using those permissions still has them, however It appears Google tried to warn people about the permissions through the market but didn't do a complete/comprehensive job. There are clearly some chinks in the armor.
Nervetheless, there is a silver lining to all this. Any app that uses the SDK (Software Development Kit) for 1.6 or above, will not be able to get away with hiding these as easily. And Needless to say there are so many improvement in the SDK from 1.6->2.0 that a LOT of devs have forsaken anyone running anything below 2.0 (myself included).
Eventually they will need to enforce this permission more forcefully, as there is no point in making new permissions if malicious malware writers needs only use a bit older code to get around them. However I gather Google made a judgment call as to allow for a grace period. Basically, a time when these permissions were warned about, but not enforced on, older code. I would expect this judgement call to hold true for even newer permissions added in 2.0 (deprecated*) 2.1, 2.2, 2.3, 2.4 and 3.0
So what can we do about it? Well I think the easiest way to know if an app has these two permissions, which are probably the riskiest of any new permissions, is to watch out for apps targeting 1.5.
1.6 should make it harder (but not impossible) to hide these permissions. Less than 4% of phones are still running 1.5 too, and only 6% on 1.6, the rest are running 2.1 and above, so that's a good thing to keep in mind. (
source)
So anyways, I took my app down from the market, but will leave the source code up. I'm going to try and remember to update my security guide:
http://androidforums.com/android-ap...ps-avoid-viruses-guide-those-new-android.html as well.
The short of it all is this: if you have a device running Android 2.0+ and you want an app that says it only requires 1.5 or 1.6, know that it may be able to write/delete/read from your SD card and it might be able to read your IMEI and phone number.
Hope that helps.