• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Android permissions explained, security tips, and avoiding malware

This is a good post. With my first Android (eris) and smartphone even, I was wondering about this stuff this weekend.
One question I had that is not answered in here is how the list of permissions for an app is generated? Does the developer go down a checklist ticking off boxes (which leaves room for a lot of lying) or is it generated automatically so we know it's accurate?


This is a great post. Please sticky.
 
Upvote 0
I'm not 100% sure actually whether the app declares what it needs or the market checks automatically. What I do know however, is that an app wont get any permissions unless they are listed on that screen. In other words an app might request permissions it doesn't use but it will never get to use permissions unless the user aggrees to them before downloading. So in essence it's a bit of a moot point, but I will look up the process and update the thread with what I find.


.
 
Upvote 0
Just so I am clear, what you are saying is that if the permissions are not requested on that screen, then the app can't get the info? It is impossible for an app to pull my contacts' info or my google account info if it's not requested at time of install?
That is good to know.

Thanks again for this!


correct
 
Upvote 0
How about locking down google checkout, how can you do this, it seems anyone can pick my phone up and buy stuff on the marketplace which means I'm a bit buggered if someone steals my phone.


You should use the pattern lock or an app like wave secure. getting your phone stolen is not really related to app security though.
 
Upvote 0
It will run down your battery, yes, but you would notice that. It's OK in the sense that you could uninstall any app you don't want keeping your phone awake and it wont harm your phone anymore. Also it has very legitimate uses for say a music app or nitghtime alarm clock type app.

All in all it's mostly a harmless permission and (while not impossible) I can't imagine it ever being used to harm someone's phone.


.
 
Upvote 0
Great post, after reading it confirmed my suspicion that someone was trying to phish my account. Area days ago I started receiving emails from Windows live stating that I requested a password change and it gave me link to confirm and proceed with the change, the problem is I never requested such a change. I sent an email thru the link to notify them of this and I got no response,I just kept receiving the same email from Windows Live. I decided the safest thing to do was ignore these emails and leave my password info unchanged. I would appreciate any info anyone has about what steps if any I should take from this point. Also, I want to purchase apps from the market but I'm skeptical to use my debit card being that its a direct link to my bank account, I do not have a CC so my only way of making online purchases is with my debit. Is it safe to use a debit card? Any help is greatly appreciated, thanks
 
Upvote 0
I would check with your bank about what kind of safeguards they have for you on your debit card. If not, it's always good to have a credit card with a nice low limit for internet stuff. Almost all credit cards allow you to do what's called a "chargeback" where you can cancel any fraudulent charges if you report it within a few days. But, and I can't stress this enough, check with your specific bank or credit card issuer about their policies. If you don't understand the fine print, give them a call on the phone and make them explain it to you. Another good idea is to set up spending alerts with your bank. When my debit is used for a purchase of $200 or more I get an email (or SMS) within an hour from my bank letting me know.

As for purchasing apps on the market I think it's reasonably safe since it's mostly handled by Google Checkout. However nothing is guaranteed, especially on the internet. Google checkout is probably about as safe as Pay Pal, which is reasonably good but not perfect.
 
  • Like
Reactions: jopemon
Upvote 0
Cool, thanks for the quick response and the great advice, I think I'm going to open a seperate checking account just for online purchasing. As for the phishing problem, does this sound like an avenue that hackers use to get your info, by having you change your password because they don't know it but when you change thru their link they now would know what you changed it to?
 
Upvote 0
I wouldn't open a separate checking account, just talk to your bank and find out what protections you have in place. One of the differences with debit and credit cards is that credit cards almost always have the chargeback protection, while debit (checking) cards do not often have it. Sometimes debit cards do have the same protection though, it really varies from what I have heard. So check with your bank. :)

As for the fishing, yest that's a possible scam to get your email address, or it could even be someone accidentally entering your email address to try and change their password. Either way, you are correct in that the safe thing is to ignore the emails.
 
Upvote 0
Really well done. Good organization & overall tone -- reasonable, encouraging of common sense, ...

Been looking for permissions rosetta stone, and your write-up is a great step forward.

Uh oh, what's wrong with WordPress blogs? I believe I've found helpful info in this format too, but there may be something I'm overlooking.

I might consider adding, if it's not clear from Market description and web site, e-mail dev.

Thanks very much.
 
Upvote 0
This should be stickied, or better yet, a wiki so that people can update it freely.

Another interesting permission that should be mentioned is "read phone state and identity" (required, for example, by the Speedtest.net application). This sounds like the app can read your phone number or IMEI. Some say the permission is not that important, while other reports indicate that your IMEI can indeed be read - Locale leaks your IMEI, and the most likely permissions required by Locale to do that are "read phone state and identity" and "modify global system settings".
 
Upvote 0
Alostpacket, great post. I was wondering about a couple things. First, is it possible to see the permissions of a given application AFTER it has been installed? Second, is it possible to change those permissions? Thx.

Both good questions. To see the permission given to an application after installation, go to the market, press menu, downloads, then select the app, press menu again, then press security.

It is not possible to change those permission after installation though.
 
  • Like
Reactions: momist
Upvote 0
This should be stickied, or better yet, a wiki so that people can update it freely.

Another interesting permission that should be mentioned is "read phone state and identity" (required, for example, by the Speedtest.net application). This sounds like the app can read your phone number or IMEI. Some say the permission is not that important, while other reports indicate that your IMEI can indeed be read - Locale leaks your IMEI, and the most likely permissions required by Locale to do that are "read phone state and identity" and "modify global system settings".

Thanks for the tip, will check this out this weekend. If anyone wants to make a wiki too they are free to copy as much of this guide as they wish. :)
 
  • Like
Reactions: RGSA7
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones