The Android permissions system is a piece of the Android puzzle that has received a lot of flack lately for being too permissive. It's an on or off proposition that tries to keep you from installing a piece of software you shouldn't. You may think it flawed or spot on, but it's here to stay — until Google puts a system in place like the short-lived App Ops (a tool that offered highly granular control over the permissions an app was given).
If you're unsure what I'm talking about, it's simple: every time you install an app on the Android platform, you are given a listing of the permissions that app requires. To ensure the security of your device, it is imperative to read through that listing to make sure you're not giving an app permissions it shouldn't need or have. It's a very simple system, but one that doesn't offer a lot of control.
Regardless of how good or bad that particular system is, it's what we have at the moment. That's why it's very important that you understand the permissions system and what you're seeing. Armed with that understanding, you'll be able to make better informed decisions on whether to install an app or not.
With that said, let's break down the Android permissions system.
What it does
Effectively, when you go to install an app, the permissions system pops up the complete listing of permissions the app requires to be installed. Most people don't realize that you can actually view the entire permissions listing from within the Google Play Store. Just find an app you're interested in installing, scroll down, and click View Details under Permissions.
The permissions listing is divided into separate systems (along with samples of what each category includes):
- Identity: Find accounts on device, read your contact card
- Contacts/Calendar: Read your contacts, view your calendar
- Location: Approximate and precise locations
- SMS: Receive, edit, send
- Phone: Directly call numbers, read call log
- Photos/Media/Files: Test access to protected storage, modify or delete the contents of your USB storage
- Camera/Microphone: Take pictures and videos, record audio
- Wi-Fi connection information: View Wi-Fi connections
- Device ID & call information: Read phone status and identify
- Other: Recieve data from internet, download files without notification, run at startup, prevent device from sleeping
It's a long but very important list. Some of the permissions seem a bit ominous. Take, for instance, Test access to protected storage. This sounds like it enables an app to gain access to what should be a protected location. What this actually means is it makes sure the app can write to external storage — in other words, an external SD card. That's it. If you're unsure of a particular permissions listing, take a look at this detailed developers manifest for each permission.
What you should do (and why this is a problem)
The Android ecosystem assumes its end users know what they're looking at. Some do, some don't. When it comes to permissions, it's very important to understand two very crucial ideas:
- Some permissions involve services/systems that will cost you money
- Some permissions involve services/systems that can lead to insecure devices
However, these are not all-or-nothing issues. Why? One very clear example is the "cost you money" scenario. The permissions system has no way of knowing what your data plan is. Because of this, it must warn you that granting a particular permission could cost you money. In other words, if that app requires the use of SMS — those SMS messages could push you over your data limit and cost you money. Since Android isn't in the know of your data limits, your data plan, etc., it must warn you that costs could be incurred — but that doesn't mean they will be.
The same thing holds true with the insecure devices issue. Apps require the use of the Android system. Some apps require the use of your device ID, some do not. Some require the ability to read your call log, some do not. What's most important is to use a bit of common sense here. If you're installing an app that has nothing to do with your phone, but it requires the use of your phone — think twice about installing said app. If you're installing a simple game, and it requires the ability to place phone calls — think three times about installing said app.
And that is the glaring hole in the Android permissions system. First, it requires the end user to carefully read through the listing. Second, the end user must apply a bit of common sense when reading the listing. Third, it's all or none. You either agree to the permissions (and install the app), or you don't agree (and don't install the app).
A portion of this is rumored to be changing when Google adds the ability to selectively turn on/off permissions within Apps (as App Ops did). No one knows when this system will come to fruition, but it's certain to arrive at some point during the "L" life span. But even if/when the Ap Ops features arrive to the Android platform, the end user will still be beholden to apply a bit of common sense to app permissions. You will be able to better control the app permissions, but it won't hold your hand (or do it for you) in the process.
What to look for
As I've said before (many times), it's crucial that you read through the permissions listing of an app. While you're reading, you should look for permissions that have nothing to do with the app that you're installing. If you find suspect permissions, the first thing you should do is research why the app needs that particular permission. Specifically, ask these questions:
- Logical connections: Do the permissions make sense?
- Physical dependencies: If an app requires permission to control your hardware (such as using the mic or phone)... should it?
- Location dependencies: Does that app really need to know specifically where you are?
What about granular control
Google is working on this. The App Ops system will most likely find its way into the ecosystem. Until then, it's up to the end user to take care while using their smartphones and tablets. I've gone through this plenty of times before, and it can't be said enough — until installing apps allows for granular permission control, use common sense when installing apps on Android. On top of that, install Malwarebytes on all of your Android devices, and use it.
The permissions system isn't perfect, but it's there and does a good job of letting you know what an app requires for use. The creators of malicious apps depend on end users ignoring the permissions listing in order to get their apps into the wild.
What do you think Google needs to do to shore up the app permissions system? Do you think Ap Ops is the solution? Share your opinion in the discussion thread below.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.