Security on Android

Android is a popular OS with rich variety of applications available from PlayStore. Android controls an app's access to various system services (e.g. WiFi, camera, telephony functions, contacts etc.) by requiring the user to grant requisite permissions at the time of installing apps. Once permissions are granted to an app for accessing certain services, they remain effective until app is uninstalled.

When installing an app for certain use, most users search the PlayStore and often pick the top recommended or rated free or paid app that meets their requirement. Once an app has been selected most users install it without paying much attention to the permissions demanded by that app, much less the implications of granting those permissions. Even though Google has simplified the descriptions of various permissions, still a normal non-technical user often cannot assess the real implications of granting those permissions to an app. Given an app's functionality, what permissions should it actually require is difficult for a normal user to assess.

Consider, for instance, Microsoft Lens Android app. Brief description of this app states:
Office Lens trims, enhances, and makes pictures of whiteboards and docs readable. You can use Office Lens to convert images to PDF, Word and PowerPoint files, and you can even save images to OneNote or OneDrive. 
It is basically a document scanner app. You would expect that in order to provide the stated functionality properly such an app should normally require the permissions for accessing device's camera, storage and the network (WiFi etc.). However, the actual list of permissions required by this app is:


Identity
  • find accounts on the device
  • read your own contact card
  • add or remove accounts
Contacts
  • read your contacts
SMS
  • receive text messages (SMS)
Photos/Media/Files
  • modify or delete the contents of your USB storage
  • read the contents of your USB storage
Camera
  • take pictures and videos
Device ID & call information
  • read phone status and identity

Other
  • download files without notification
  • Access download manager.
  • create accounts and set passwords
  • use accounts on the device
  • view network connections
  • full network access
  • Google Play license check
Considering the primary purpose of this app, one wonders why this app should need to read your SMS messages, read your contacts, read call details etc. This is just one example, incidentally from a well known (trusted?) company. There are thousands of apps existing on PlayStore which demand way more permissions than would actually be required to perform the app's stated functions. Clearly, the developers of such apps want to exploit information found on or through your device. I'm not saying that all such apps are malicious. However, there is high probability that a large number of those apps are interested in exploiting your data in a manner that you may not like. After all, nothing comes for free in life :) If someone is giving you a free app it is highly likely that there is some way for the developer to derive benefit from the offering. For most users it is perfectly acceptable if the app uses normal monetization methods such as displaying ads etc. Things become murky when data lifted from/via a user's device gets exploited in ways which would be unacceptable to the users had such exploitation been clearly disclosed to the user.

A large number of apps on PlayStore are in a position to compromise different aspects of user privacy (see this article). Given the intimacy that mobile devices such as smartphones and tablets enjoy, it is important that mobile platforms implement proper measures (which are also easy for app users to understand) for protecting against rogue apps and developers who exploit users sensitive information. In my humble opinion, Android as of today lack in this area.


Comments

Post a Comment

Popular posts from this blog

Implementing a secure contact tracing system

Contact tracing means identifying people who have been in close proximity to each other for a certain duration of time. In recent days the COVID19 pandemic has brought this topic into the attention of governments trying to contain the outbreaks of the disease. However, there have been widespread concerns about the user’s data and privacy being compromised via the contact tracing app. The following report provides a useful database and analysis of the currently available apps that do contact tracing: https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/ As can be seen from the above report, a large chunk of those apps are considered invasive and do not clearly outline how they actually work, and what they do with the potentially sensitive data that they capture from the user’s device. A possible design for a transparent and secure contact tracing solution The Bluetooth and GPS enabled smartphones carried by the population are the most commonly used d
Read more

Data leakage possibilities with Aadhaar based e-KYC systems

Image
A recent incident in July 2017  that involved alleged data theft through a KYC app has added to the confusion and concerns in the minds of users about security and confidentiality of their biometrics and other PII data that are maintained by UIDAI . I am a bit skeptical about how PII is handled by various agencies who collect and transact with such data in our country. The concern about having my biometrics and other data lifted was at back of my mind when I was giving my fingerprint at a mobile phone shop for taking a new data connection last week. It was not until a friend asked me for some clarifications about internals of biometrics based authentication systems that I paid close attention to various possible leakage points in Aadhaar based eKYC/authentication  applications.  The overall architecture and process steps involved when using Aadhaar APIs for performing, say, authentication of an Aadhaar card holder are explained in its API documentation . For the sake of und
Read more

Opprtunities for improving security in GoI apps

Image
Recent nationwide lock down due to COVID19 situation has forced me to try using some of the apps designed by various agencies of the central and state governments in India. It is heartening to see that we have done some serious work towards adoption of digitization of several services. The apps that I tried using included: BHIM by National Payments Corporation of India (NPCI) https://play.google.com/store/apps/details?id=in.org.npci.upiapp&hl=en_IN Aarogya Setu by NIC (https://play.google.com/store/apps/details?id=nic.goi.aarogyasetu) Interestingly, both of these apps came into being in response to a crisis situation. The BHIM system came into limelight after the November 2016 demonetization event. Aarogya Setu is believed to be an app for tracing COVOD-19 contacts of the people who may be infected by the virus. Lets talk about the BHIM app first. It seems to have matured today, and has a wide user base. The permissions required by BHIM app for its functioning are listed here unde
Read more