Android and Privacy: Guide to Android Application Permissions
Android App Permissions
Android app permissions are causing a bit of upset for many people concerned that their personal details are in danger. As the Android system is aimed at managing a lot of your data in a ‘cloud’, there is a lot of interaction between data on your system and that on the web. When installing any new app, the installer will show a list of permissions that are put in place to inform the user how the app will be using data on your Android device. The permissions page is there for a reason, and anyone worried about their privacy being in jeopardy should take a good look at them before installing any application.
Types of Android Application Permissions
Surely everybody has wondered what all the permissions that pop up on the screen just before installing an Android app actually mean. Here is a breakdown of all types of Android application permissions, and what they do. Each of the categories has a series of subcategories that describe in more detail what they do. However, they will never go beyond the ‘jurisdiction’ of the ‘mother-category’. As most are pretty much self-explanatory, only a small amount of text is added to indicate how seriously certain permissions should be taken:
Services that Cost You Money - This category deals with apps that use services such as calling and texting. Potentially they can cost you money, but a popular SMS app such as Handcent will only use it to allow you to directly call a contact that just texted you.
Your Messages - This permission category deals with the ability to read and write SMS and MMS messages.
Storage - This is pretty straightforward as this lets an app read/write to the SD card or internal memory of the phone.
Your personal information - This is the permission category to look out for, as it is able to read through your contact list of any of the accounts configured in your phone. Examples of apps that will use this permission are SMS/MMS apps or phonebook replacement apps and the likes. An app that for instance triggers the torch of the phone will NOT need this permission, especially not in combination with for instance ‘network communication’.
Phone calls - This permission deals with reading the state of the phone and identity. This can be a bit of questionable permission as it allows apps to read the IMEI, IMSI and 64-bit unique ID of the phone. Apps can use this for finding out about piracy, but this is not transparent. The state of the phone deals with an app being able to read if you are on the phone or not.
You location - This permission category deals with your location, either through GPS or through mobile networks. It is quite obvious that only location-based applications, such as Google maps or weather apps, should use this. Again, a torch app should not!
Network communication - This permission grants Internet access to an app. Obviously the internet is the way a malware app will be able to ‘steal’ your (personal) data, so be wary of which apps use this.
System tools - The system tools permission will be used by most applications as through this they can function. However, potentially, through modifying system tools an app could get access to certain sensitive information on the phone. Therefore it is essential to check which subcategories are listed to see if it seems logical for an app to get certain permissions.
Hardware Controls - This permission category deals with apps that use hardware aspects of the phone. As a lot of applications make use of the hardware specs of an Android phone, most apps will use this permission. Anything little like an SMS app vibrating when a message arrives cannot work without this permission. Theoretically an app could take pictures and make recordings without you knowing. A bit of caution might therefore be needed to make sure that an app truly has the need for this permission.
Your Accounts - This permission gives an app the chance to check which accounts are activated to provide the user the options to interact with it. It doesn’t necessarily approve an app to use the account for anything by itself.
How to Interpret the Permissions and Guard Against Malicious Apps
In theory it should be easy for concerned users to filter out apps that look dodgy. The Android application permissions are put in place to grant users a level of transparency. Google has also provided a full list of app permissions that should make it easy to filter out the ones that do not fit with what the app advertises to do. As permissions show exactly what the app will be using in the phone, common sense will often be enough to determine if this seems logical. After all, a weather app will most definitely be wanting to use the GPS permission, as well as internet access to download weather updates. But does that same app really need access to for instance the ‘Services That Cost Money’, or ‘Your Accounts’ permission? Things get a bit more difficult, however, when you realize that many free apps use Internet and location access just for the sole reason of being able to advertise, and as such are hard to check. These apps may need the Internet permission, even though that wouldn’t necessarily make sense at first. You could be missing out on a perfectly fine application if you decide that it seems too suspicious at first. Also consider, that if these apps are not able to advertise, perhaps they would not even be free. So does the free factor outweigh a potential privacy breach?
How Could Permissions be Changed to Better Protect the User?
This last question should not even need to be asked. As mentioned before, the Android application permissions are put in place to provide users with a certain level of transparency as to what an app will access. Many are not satisfied with the way this is presented currently, as it leaves a lot to be discovered afterwards. There are other options. One of these options is to follow the BlackBerry model and allow for users to individually allow an app to use certain permissions. Another possibility could be to have a developer explain in greater detail how an app intends to use certain permissions. Surely, either of these, or any other option that guarantees the privacy of Android users should be considered. As long as this remains to be done, users should be wary of what they install, and always research apps that they think are not to be trusted. As Android has an increasingly significant user base, there should be enough info going around on the Internet for everyone to find. In the end you can almost forget that these machines are meant to make phone calls in the first place.
Read about How to Use Android Market Safely for more on this topic.