Beginner's Guide to Android

Android PSA: Read security permissions before installing an Android app

July 29, 2010 | by Andrew Kameka

Beginner's Guide to Android, Tips

security

Hey there, Android fans. You may wake-up this morning to discover that there’s an allegedly rogue application in the Android Market that is stealing people’s data when installed. According to a security firm that happens to offer mobile security software, this app disguises itself as a wallpaper downloader, then grabs users personal information – SIM card number, SMS messages, and voicemail subscriber info – and then sends that data to a server in China.

Now, aside from the opportunistic nature of a security firm being the one to report this, there’s an obvious lesson here that thousands of Android users have yet to grasp. That lesson is that they need to read the permissions requests whenever they install an Android app. Always.

Before an app can be installed, Android displays a page explaining to users what type of functions that app wants to perform. Familiarize yourself with that screen because it is your friend. It will tip you off when an app has questionable motives, and will allow you to use common sense about which apps to install and which apps to run away from. The screen typically looks like this:

A screenshot of MixZing, which is NOT the supposedly malicious app

Look at permissions requested by the supposedly malicious app, Wallpapers:

  • Your Location
  • Network communication (full internet access, view network state)
  • Storage (modify delete SD card contents)
  • Phone calls (read phone state and identity)
  • System tools (set wallpaper)

Does that look right to you? Of course not. It raises suspicion that an app designed to change my wallpaper needs to know where I’m located or who I make calls to. The only permissions it really needs are Storage and System Tools, which tips me off that I shouldn’t be installing this app.

UPDATE: The developer of the app claims that he collects device data because users requested it so they can more easily use the app if they have to wipe the phone and reinstall the app.

There are some Android apps that legitimately need to know that type of information. Locale changes settings based on GPS coordinates, so it makes sense that it wants to know my location; Phonebook replaces the default dialer and contacts app, so it has a right to request Phone call permission; MixZing downloads information from the web for playback, so it should request Network communication. However, some ringtones, wallpapers, games, etc., have no reason for requesting such information. Unless the app describes a particular feature that would require that permission, you have to question the developer’s motives.

Android is an open platform, so there’s no walled garden protecting users from questionable practices. The benefit of having a phone that provides more freedom with apps means that you also have to take on the responsibility of policing your device. Always read the permissions before installing and think about why certain apps make certain requests.