Usually an installed android app will request permissions such as
Phone calls
read phone state and identity
or
System tools
prevent phone from sleeping
But the actual consequences from a privacy stand-point is often a mystery to me. Is there a resource that explains the risks involved in these permissions in a greater detail? Especially regarding privacy and personal information security.
(Pros would be such as one with practical examples, analysis, pitfalls, providing complete a lists.)
Answer
General information
You might want to take a look at What do the permissions that applications require mean? -- our "community wiki" which hopefully becomes such a ressource one day. Next to that, you might want to take a look at App Permissions Explained – What Do They Really Mean?, a blog article at AndroidPIT giving at least some short explanations.
TechPP's article Use Permissions to Secure Your Private Data from Android Apps goes a little deeper into details (recommended reading!). Another nice overview is provided by BinaryDroids.
Edit: I've tried to sum up information from all kind of sources I could find, so the probably most comprehensive collection can be found at Android.IzzySoft.DE: Permissions. Don't be afraid of the ".DE": it serves its content in English as well. (Disclosure: I'm the owner, creator, and maintainer of that site.)
A last direct recommendation is How App Permissions Work & Why You Should Care -- and for more, please visit our good old aunt Google :)
Edit: I could not resist to add more valuable hints, as this is a very sensitive topic. So I will continue updating my answer:
- Android permissions explained, security tips, and avoiding malware, a very thorough article on more than just permissions (seemingly similar article here)
- What Can a Zero-Permissions Android App Do?
- Android OS: Malicious apps can steal permissions (including a chapter on How permissions work)
- The ins and outs of scary Android App Permissions (a general introduction into permissions and the "abouts")
- Not directly an answer, but an interesting ressource on our sister-site: Studies on Android users' attitude to security. Names a lot of further sources, studies, etc., including "permissions"
- How to find those permission-grabbing add-ons in Android reveals another interesting fact I was not aware of, as obvious as it might look once you know it: advertising networks get the same Android-permissions as the installed app they’re associated with. Ouch! A paradise for profilers... and, There are more permission-grabbing add-ons...
- Smartphone apps: Is your privacy protected?
- Use Permissions to Secure Your Private Data from Android Apps (while already from 7/2010, it still has good explanations on permissions existing back then -- and still there today)
Advertizement inside apps
Also keep in mind that many permissions some app requests might not be required by the app itself -- but rather by some ad module that app uses. So according to TechRepublic14, MobFox and AdMob, two of the biggest ad networks, require the following permissions: INTERNET
, ACCESS_NETWORK_STATE
, ACCESS_COARSE_LOCATION
, and READ_PHONE_STATE
(so they can know who you are [READ_PHONE_STATE
: phone number, IMEI/IMSI], where about you are [ACCESS_COARSE_LOCATION
], what networks you are connected to [ACCESS_NETWORK_STATE
], and whom you are communicating with [again READ_PHONE_STATE
, while in call, for the "remote number"]). Does this look a bit too paranoid? That doesn't mean nobody's after you, see Deep Dive Into Ad Network Behavior on Android.
Which means: if you don't feel well with some combinations, you might simply check if the app on your wishlist also has a paid version -- which might do without those permissions, as it does not carry the "ad module". Speaking of this: Addons Detector will help you figure out which of your apps carry such a module piggyback. In this context, also consider: as trustworthy as the app developer might be, (s)he might not be aware of and has no influence on what those "ad modules" do with your data. Remember: advertising networks get the same Android-permissions as the installed app they’re associated with.13
On this topic, also read:
Was this shocking news for you? Did I infect you with some "paranoia" -- and now you fell "left alone" with your bad feelings? I won't leave you without some recommendations. First, you might want to know which potential "data thieves" you already invited to your device, unaware of those risks. It's usually no bad intention of the developer (you know: "No money, no honey" -- the devs have to make a living as well). So having identified some "bad guys", you might want to confront the dev and give him the option to switch to a different, less "dangerous" ad provider (after all, the dev might have been unaware of the risks involved as well). If he's unwilling, you can still decide whether to kick the offender from your device. Or to "go pro", if there's a pay version available which comes without an ad module inside -- and honor the dev's work while safe-guarding your data, which I'd say is a typical win-win situation.
So: What options do you have? I will give a few examples below.
- Addons Detector knows a lot of those modules. High rated (4.7 stars at more than 3,000 ratings), it not only detects ad modules, but also analytics, development, and licensing modules
- Lookout Ad Network Detector -- nomen est omen -- concentrates on the ad modules. Its additional value is the ability to tell you exactly what data is being collected, and by whom. Comparable rating (4.4 at > 3,000 ratings)
- TrustGo Ad Detector offers comparable features, and also gives you details on the ad networks' behaviour and backgrounds. Currently 4.5 at ~ 2,000 ratings.
"Root users" might also have heard of several ad-blocking apps (e.g. Adaway, Adblock Plus -- the latter not even requiring root), some of them able to not only "block by host/IP", but directly de-activating the ad modules. Well, those are no longer available on the playstore, as Google has banned them. But you certainly will find them in other places on the web. Make sure to select a trustworthy source, if you plan to make use of those. I recommend F-Droid, which has its own "market app" with the same name, so you get updates as well. All apps there are open source and thus free of charge. And no, obviously no "hacked pro versions for free", all fully legal and lawful :)
No comments:
Post a Comment