Security on Android

Android is a popular OS with rich variety of applications available from PlayStore. Android controls an app's access to various system services (e.g. WiFi, camera, telephony functions, contacts etc.) by requiring the user to grant requisite permissions at the time of installing apps. Once permissions are granted to an app for accessing certain services, they remain effective until app is uninstalled.

When installing an app for certain use, most users search the PlayStore and often pick the top recommended or rated free or paid app that meets their requirement. Once an app has been selected most users install it without paying much attention to the permissions demanded by that app, much less the implications of granting those permissions. Even though Google has simplified the descriptions of various permissions, still a normal non-technical user often cannot assess the real implications of granting those permissions to an app. Given an app's functionality, what permissions should it actually require is difficult for a normal user to assess.

Consider, for instance, Microsoft Lens Android app. Brief description of this app states:
Office Lens trims, enhances, and makes pictures of whiteboards and docs readable. You can use Office Lens to convert images to PDF, Word and PowerPoint files, and you can even save images to OneNote or OneDrive. 
It is basically a document scanner app. You would expect that in order to provide the stated functionality properly such an app should normally require the permissions for accessing device's camera, storage and the network (WiFi etc.). However, the actual list of permissions required by this app is:


Identity
  • find accounts on the device
  • read your own contact card
  • add or remove accounts
Contacts
  • read your contacts
SMS
  • receive text messages (SMS)
Photos/Media/Files
  • modify or delete the contents of your USB storage
  • read the contents of your USB storage
Camera
  • take pictures and videos
Device ID & call information
  • read phone status and identity

Other
  • download files without notification
  • Access download manager.
  • create accounts and set passwords
  • use accounts on the device
  • view network connections
  • full network access
  • Google Play license check
Considering the primary purpose of this app, one wonders why this app should need to read your SMS messages, read your contacts, read call details etc. This is just one example, incidentally from a well known (trusted?) company. There are thousands of apps existing on PlayStore which demand way more permissions than would actually be required to perform the app's stated functions. Clearly, the developers of such apps want to exploit information found on or through your device. I'm not saying that all such apps are malicious. However, there is high probability that a large number of those apps are interested in exploiting your data in a manner that you may not like. After all, nothing comes for free in life :) If someone is giving you a free app it is highly likely that there is some way for the developer to derive benefit from the offering. For most users it is perfectly acceptable if the app uses normal monetization methods such as displaying ads etc. Things become murky when data lifted from/via a user's device gets exploited in ways which would be unacceptable to the users had such exploitation been clearly disclosed to the user.

A large number of apps on PlayStore are in a position to compromise different aspects of user privacy (see this article). Given the intimacy that mobile devices such as smartphones and tablets enjoy, it is important that mobile platforms implement proper measures (which are also easy for app users to understand) for protecting against rogue apps and developers who exploit users sensitive information. In my humble opinion, Android as of today lack in this area.


Comments

Popular posts from this blog

Data leakage possibilities with Aadhaar based e-KYC systems

Cost of ownership for a car

Opprtunities for improving security in GoI apps