Google Locks Down Excessive Android App Permissions

Google IO

Today at Google I/O, the company announced a new system for Android that it hopes will urge developers to seek fewer excessive permissions for mobile applications.

Excessive mobile application permissions have long been a security and privacy concern, in particular for Android users who download apps for the platform from a number of sources, and not just from Google.

The most notorious case is likely Goldenshores Technologies LLC, which agreed to settle charges with the U.S. Federal Trade Commission that it deceived consumers who downloaded its Android flashlight application that requested an inordinate amount of permissions, including geolocation, which was shared with advertising networks.

Today at its annual I/O event, Google announced a new system coming to Android that brings the platform closer to Apple’s way of doing business. The system will enable users to download apps with zero permissions granted, and then during the course of normal usage, users will be prompted by the app if they want to extend any number of permissions.

In the past, mobile apps have overreached, looking for access to contact lists, SMS messaging, built-in cameras and microphones, images and more. Malicious apps, meanwhile, can take advantage of this environment, for example, to send premium SMS messages at great cost to the user and great profit for the criminal. Permissions are generally granted en masse during download, and generally consumers who aren’t as security savvy, will agree to whatever conditions they’re presented so long as they can download their app quickly. To illustrate, the U.K.’s Information Commissioner’s Office (ICO) last September published a report that examined 1,200 popular apps and the permissions they seek. Most apps (85 percent), the study concluded, do not explain in clear language to users what information is collected, how it’s collected, nor how it’s used and disclosed; the availability of a privacy policy is also dubious in most cases, the ICO said.

During the I/O keynote in San Francisco kicking off the event, Google said it hopes the new system encourages developers to consider user privacy and security at the outset, and seek less data from the device, and consequently, the user. Under the new system, users will make a one-time decision whether to grant or deny the app the individual permission in question with the understanding that denying may limit the app’s features and functionality.

“Hopefully this helps users pay more attention and understand the security impact of any applications they install,” said Steve Manzuik, Director of Security Research at Duo Security.

Google has been slowly moving in this direction since introduction of Android 5.0, or Lollipop, which deployed kernel-level policy enforcement via SE Linux and turned on device encryption by default. Both moves helped curb the risk of excessive permissions by bringing application enforcement to the kernel.

Google’s first Android Security Report, released in April, put some hard numbers behind the effectiveness of other security measures in the OS, notably Verify Apps (the old Bouncer), and Safety Net. Both measures cut down on the number of potentially harmful apps users are allowed to download from Google Play. For example, as of the report’s publication, fewer than one percent of Android devices had a harmful app installed and 0.15 percent of devices that downloaded only from Google Play had a harmful app installed.

I/O image via Maurizio Pesce‘s Flickr photostream, Creative Commons

Suggested articles

enterprise mobility cyberthreats risk management

Mobile Risks Boom in a Post-Perimeter World

The bloom is on mobile, whether it be the enterprise, employees or the cybercriminals plotting new ways to slip past a corporate defenses in a post-parameter world.

Discussion

  • Brian on

    This has been the most glaring fault with the Android system since day one. Totally stupid and irresponsible design by Google
  • Overkill on

    They need to allow some permissions to be split into more granular options. I am tired of spotting legitimate applications apologising for asking for more permissions than they need, as it is the only way to deliver a basic and common functionality.
  • Steve on

    It's the number one complaint in all the comment sections of apps. Glad they're finally cracking down on this.
  • Stephen on

    Today at its annual I/O event Google lost all credibility with the flat lie that " ... fewer than one percent of Android devices had a harmful app installed and 0.15 percent of devices that downloaded only from Google Play had a harmful app installed." Randomly look at 10 App Store apps and you will find 4 of them have exceedingly excessive permissions that allow them to control virtually every aspect of your phone. They can make you think you turned your phone off, keep it on and the screen dark, stop ringing and vibration, collect every bit on information of any kind anywhere on your phone, record you non-phone conversation, take pictures and videos, glom onto any other blue tooth discoverable device nearby and steals its data too then find WIFI or simply make a phone call to download all of the info mined. In the eyes of Google. none of that is "harmful."
  • Mike on

    Finally... Go SMS is one of those that goes outside of Google Play to send you ads, push you to upgrade and bypass the fact that you already paid. You can also see by the release of Windows 10 that privacy is no longer a concern by the major manufactures since we discovered that it is the most intrusive and telemetry tracking version of Windows ever released. I only mentioned this because this is the way of the 21st century. Everyone screams for privacy yet those who actually create the OS's are in the mind that you have no choice.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.