Google’s revamped app permissions for Google Play are not being well received by Android users. Reddit threads are rife with adjectives such as “stupid” and “dangerous,” primarily because Google’s attempt to simplify permissions granted to automatically updated applications may in fact expose users to greater risk.
Google has created 13 permissions groups, broad categories with a number of narrower permissions underneath that could be granted to an app. When a user grants a permission within a group, all other capabilities in that group are granted the same OK. No overt mention of any new permission is displayed, though a user could manually view them in a dropdown.
A user rushing through the installation of a new app, for example, could give it access to contacts stored on the device or grant it permission to read and send SMS messages, including expensive premium SMS messages.
“When an app updates, it may need to use additional capabilities or information controlled by permissions,” Google explains on its support page. “If you have automatic updates enabled, you won’t need to review or accept these permissions as long as they are included in a permissions group you already accepted for that app.”
Google also gives users the ability to review updates manually and change update settings, but for most consumers, this is an unlikely scenario; most just want their app and want it to work.
“The Android permission framework has always been a hot topic, since it’s a delicate balance of security and usability,” said Jon Oberheide, CTO at DuoSecurity. “Coarse-grained permissions make it easier to understand but you might lose out on important security-relevant details. Fine-grained permission may confuse the average user but offer more powerful security mechanisms.
“It might seem like removing the ‘app permission changes’ during the update process is a bad thing from a security POV. But, if 99.99 percent of users don’t pay attention to it, is it providing any value?” Oberheide said. “For example, it may be more important that users receive app updates in an expedient manner that may patch risky application vulnerabilities.”
Most of these changes, however, are a privacy issue, such as location tracking, more so than a security problem.
“We security researchers love to argue about this stuff, but it’s a tough balance and no way Google can satisfy everyone,” said Oberheide. “More importantly, waxing on about the permission framework on Android and its impact on security is a silly exercise as most critical privilege escalation vulnerabilities can be exploited by malicious apps without any permissions at all.”