Help This application can access.... wait, what?

[Haelous]

I came across an app I considered questionable on the market the other day, and I figured I'd go over what I had installed. I perused my 90 apps, and ended up taking off one or two.

After going through what I've installed, I decided to look at some apps already on the phone. I feel kind of uncomfortable with what I discovered.

FM Radio -

• read SMS or MMS
• write contact data
• full Internet access
• modify/delete SD card contents - Presumably for storing the scanned channels
• read phone state and identity
• change your audio settings - Volume, etc
• display system-level alerts, modify global system settings, prevent phone from sleeping
• read Home settings and shortcuts, write Home settings and shortcuts

PDF Viewer

• mount and unmount filesystems

I do not get this one at all. Adobe Reader on the market doesn't need it. Why does this PDF Viewer?

HTC Widgets - These can do basically anything, but here's a couple things:

• Directly call phone numbers, send SMS messages
• coarse (network-based) location, fine (GPS) location
• Google mail

Why does Facebook, Twitter, and Weather need access to these things? Coin flip? Clearly it needs to Twitter, Facebook, and SMS everyone I know whenever I flip. I wouldn't want them to miss out.

Am I the only one who's even slightly concerned by these?

 

[alison03]

I'm concerned as well. I am new to smartphones so I want to be extra careful about a lot of these things. Another one that somewhat concerned me (not so much for privacy) but just for my phone's functionality: "prevent phone from sleeping"

 

[MrGoodCat]

i'd suggest making a tin foil hat for your incredible if you are that worried...

 

[milnivlek]

If this is anything like the application rights management for Nokia's Symbian Signed program, it's probably nothing to worry about. App developers basically have a menu of app rights that they can choose to request, and some devs are just a bit more liberal in selecting which rights to request (perhaps because their development vision was more ambitious/open-ended initially). In reality, their apps may only actually use a fraction of the app rights selected.

Also, sometimes the description of the app rights may be more general than what the app actually needs. In Symbian's case, this is because the rights are grouped into pre-defined groups (like the "display system-level alerts, modify global system settings, prevent phone from sleeping" example above) that can't be split into finer-grained sub-rights. So if an app developer just wanted to "display system-level alerts", he still has to request the right to do all of the above, even if he had no intention of utilizing the "modify global system settings, prevent phone from sleeping" functionality.

Of course, if you do find something that seems doubtful, it likely wouldn't hurt to at least ask the dev to clarify his/her intent.

 

[techboy]

Is there a developer web page that lists all of these 'access resources' so we can at least determine the possible risks and make decisions before we download and install? Granted access in situations you just described is probably 99% as you say. But for that 1% who may have alternative motives (access and copy back your account lists, phone numbers, and other data, etc. for say, viral marketing purposes) once you grant access, your data is shared and the damage is done. Once an application has access, can it 'upload' this data back to the application developer if it has full internet access or is this access limited to just the local phone environment?

 

[zurloid]

Yes. The page can be found here:

Manifest.permission | Android Developers

 

[Adamx]

i'd suggest making a tin foil hat for your incredible if you are that worried...

While true that rarely are any apps malicious, this practice of asking for permissions that are not required for the app to operate is setting the android community up for a big wake up call in the future.

There will someday be an app that is malicious, and it will ask for the same permissions everything else does, and because it's common practice, no one will question it. The payload will likely be a DDOS that you don't even know your phone is doing until your carrier cuts you off completely, along with thousands and possibly millions of others.

Because such an app could seem completely innocuous, and code for such an app easy to write and hide, there may already be such apps in circulation, just waiting for the right time or update to become active.

If we could disable permissions we don't want apps to have, taking our chances with whether or not it would work properly, then this could and would be avoided. If all market apps were properly screened and denied when they require permissions that do not make sense for their purpose and use, this could also be avoided.