General security

Android App Permissions and Security: What You Need to Know

Infosec Institute
February 5, 2014 by
Infosec Institute

As of this article, Android has the greatest OS market share on both smartphones and tablets. If you don't own an Android device, chances are that your friends, family or co-workers do.

The security implications of Android affect many millions of people worldwide who use their devices for personal reasons. But also, more and more corporations and governments are either offering their employees corporately administrated Android devices, allowing Android devices into their networks via BYOD (bring your own device), or some combination of both. So, using Android insecurely can also devastate corporations and governments- costing them millions or even billions.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

I wrote an introductory article on Android security which covers the basics regarding malware, privacy, password security, and physical security. This article expands on an Android security matter which deserves a separate piece of its own: Android app permission security. Whether you use Android devices for personal or professional reasons, it'd benefit you to heed my advice.

Technically speaking, Android is a Linux distribution, because it's built on the Linux kernel. All Linux-based OSes are designed to be able to have multiple user accounts, which can each have their own sets of permissions, with root having master admin.

In most Linux distros, which are typically run on PCs and servers, such as Ubuntu, Red Hat, SUSE, Arch and Linux Mint, the user accounts typically represent people who use the same OS install directly on a PC client, or remotely off of a LAN connected server. For instance, on the Linux installs we have running off of our PC hard disks and off of our Linux servers in our server room, my fiance and I both have root/admin accounts. So, we both have access to read, write, install, uninstall, reconfigure and delete anything. When we run Linux bash commands which require root, we can simply type "sudo" at the beginning of the command, enter our passwords when prompted, and we can do whatever we'd like on our Linux machines.

But, we also set a number of user accounts for our friends and people we work with. We set limited permissions on their accounts. They can download files from the Internet to their own folders only. They can read, write and delete files from their own folders only. They may not install any applications without our "sudo" authorization. They may not uninstall any applications without our root passwords. They may only view their own files in their own folders. And finally, they may not change any OS settings or configurations.

The odd thing about Android is, instead of actual people having user accounts with associated permissions, the applications themselves each have their own sets of "user permissions." The person using an Android device may install or uninstall applications, save or delete files, and change OS settings. But to be able to reconfigure their device beyond what the Settings app allows, and for further "admin" functions, they would need to "root" their Android device. When an Android device is rooted, the user has full root permissions, in the same manner as having root in other Linux distros. Rooting an Android device involves overcoming its bootloader, and proper rooting procedures vary according to your Android device manufacturer and model. If you're curious about how to root your Android device, Google its model name with the word "root." XDA Developers is a particularly good resource for information about how to root nearly every Android device out there.

So, as I've said, in Android, instead of people having user accounts and permissions, apps have user accounts and permissions. Each app, including Android OS components, has its own unique user account.

Regardless of which version of Android you're using, each and every time you install an Android app (an APK file), the Google Play Store will show you which permissions the app asks for. Usually, you cannot pick and choose which permissions you grant to an app. You usually can only decide whether or not to install an app, based on the permissions it asks for.

I installed a new game on my phone a couple of days ago, Kaizin Rumble: World Domination. These are some of the permissions the app asked for before I agreed to install it.

I decided that I'm okay with the permissions that app thinks it requires. So, I tapped on "Accept." "Modify or delete the contents of your USB storage" makes sense, because the game probably stores game save files and some downloadable content. "Retrieve running apps" makes sense if the game uses Facebook, Twitter or Google+ OAuth for authentication, as many Android games do. That permission might also make it easier for me to switch from the game, to another app I'm using, and back to the game again, without losing any game progress. "Full network access" is needed for games which require online connectivity, which is most of them. "Read phone status and identity" is necessary for if I receive a phone call while playing the game. "Read call log, read your contacts" concerns me a little bit, and I'll turn that permission off via procedures I'll describe later in this article. "Add or remove accounts, use accounts on the device" is probably related to using social network OAuth to link with my in-game account authentication.

For the purposes of this article, especially since I'm including all kinds of screenshots, it's worth noting that I have a Nexus 4, which is running the latest version of Android as of this writing, 4.4.2 KitKat.

Malicious apps will probably misuse the permissions you grant it by installing it. Their permissions may make malicious apps able to make expensive long distance phone calls or text messages, engage in spyware activities like uploading your private data, contacts and GPS location, stop your other apps from running properly, or stop you from being able to change your device settings.

Do keep in mind that even apps that aren't really malware, which are popular with millions of Android users, may use the permissions you grant to track your GPS location, read your text messages and contacts, or make device setting changes you won't like. Examples of those include the Facebook app, Yelp, or even some "App Launchers."

You may want to install and use those applications anyway. I do. But I don't have the Facebook app on my phone. I only use Facebook in my web browser, because I really don't trust Zuckerberg and company very much.

When apps update, if the permissions they demand change, Google Play will prompt you with a list of the new permissions, and let you decide accordingly whether or not to update that app.

So, I've chosen to install many apps on my phone which may engage in some spyware functions or do other things to my Nexus 4 that I don't like. But I've got the upper hand, because I know how to disable some permissions from my apps. I'll show you how.

All versions of Android are designed so you can't change the permissions granted to the apps you've installed without doing some degree of hacking. In Android 4.3 Jellybean, a hidden function was added called App Ops. That function allows users to manually enable or disable app permissions. The only easy way to access App Ops in Android 4.3 is to do one of the following. If you have a third party OS UI, otherwise known as a "Launcher," it'll exist on your device as any another app. Trigger your "Launcher" app to open an "activity," and if you scroll all the way down the list of available "activities," you'll find App Ops. You can open the hidden function from there. Then, you can navigate to each of your application permission settings, app by app, and pick and choose which permissions to enable or disable. Keep in mind that disabling some app permissions may make your apps unable to function properly.

The other way to open App Ops in Android 4.3 is to install a third party app which is designed to launch the hidden function, such as AppOps Launcher, at https://play.google.com/store/apps/details?id=com.pixelmonster.AppOps. AppOps Launcher also works in Android KitKat, 4.4+.

The Electronic Frontier Foundation was very happy when App Ops appeared in 4.3, even though it's hidden. But even though third party permission control apps can work in other versions of Android, App Ops was removed in KitKat 4.4.2. That disappointed the EFF, and with good reason. Android device owners shouldn't have app controls taken away from them, because that would violate their user rights.

"The fact that Android users cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through," said the EFF's Peter Eckersley.

Nevertheless, as I've mentioned previously, there are ways to get that control back. You should, because even legitimate apps can spy on you or create other security vulnerabilities.

Permission Manager is another app you can try, at https://play.google.com/store/apps/details?id=com.appaholics.applauncher. Despite what it says in Google Play, I've found that it works in 4.4.2 KitKat, in addition to 4.3 Jellybean. It won't work if you have a version of Android that's previous to 4.3.

Interestingly, Permission Manager doesn't ask for any permissions.

Here's what Permission Manager looks like.

So, if you install the free version of Permission Manager, as I did, you can see the top five apps on your device which have the greatest number of permissions. But if you buy the paid "Pro" version, you'll see a list of all of your apps and their permissions, listed from the most permissions to the least.

So, here's what I see in my free version.

All of those "apps" are native Android components that mustn't be removed, except perhaps for Google+. I've decided to let those Google apps have all their default permissions for two reasons. The first is that I'm pretty sure disabling any of their permissions will really cripple the functioning of my device, particularly since all of those apps, except for Google+, are vital OS components. The second is that, since I have a Google Android device that uses Google's complete service "ecosystem," if I can't trust Google with a wide assortment of functions, I shouldn't own a Google Android device in the first place. Google's data mining is all a part of the game if you choose to use any Google program or service, from Android to Gmail to Drive to Maps to even Google Search. That applies to any Google services you use anywhere, even outside of Android. That includes using Google Maps on your iPhone and using Google Search in any web browser from Microsoft Windows, and so on and so forth.

Here's what you can see in Permission Manager if you launch the settings of a particular app.

Yeah, disabling any Android System UI permissions would really mess up my phone, perhaps even irreversibly.

Since Permission Manager only works in Android 4.3 and 4.4, you'll need to install another app if you want to manage app permissions in an older version of Android. Or, even if you use 4.3+, you might want to have easy access to the permissions of all of your apps, without having to pay for Permission Manager's "Pro" version. A possible option is SnoopWall, which can be installed for free from https://play.google.com/store/apps/details?id=com.snoopwall.android.

One of the nice things about SnoopWall is that it works in all versions of Android from 2.3.3 Gingerbread and up. It'll also allow you to manage the permissions of all of your apps, free of charge. What I'm not crazy about, but what you might enjoy and benefit from, is that the app is designed to do a lot more than just manage app permissions. It runs an antivirus shield and firewall that's not supposed to conflict with any antivirus shield or firewall you already have. It checks for, and blocks eavesdropping and spying. It stops your camera, GPS, WiFi, microphone and NFC from being used without your authorization. It even has a special security mode designed to be used if you're doing any online banking on your phone or tablet.

Unlike Permission Manager, SnoopWall asked for a number of different permissions upon installation.

The following are screens you'll see when launching SnoopWall ("Antivirus Privacy Firewall") for the first time.

After launching SnoopWall for the first time and it tells you "You are not secure," you can choose a security mode.

"Phone Mode," "Internet Mode," and "Apps Mode" disable a lot of functionality, which can be very annoying. For instance, apps are blocked in "Phone Mode," and Internet access is blocked in "Apps Mode." (What about most apps, which require network connectivity?) "Bank Mode" is only useful if you're doing online banking, either via your Web browser or a native online banking app. So, I chose "Autopilot Mode."

When you choose a "mode," you'll see this screen.

Here's what SnoopWall's main control screen looks like.

Tap "Control Apps" (at the bottom) to manage the permissions of each and every one of your apps. I happen to have about 250 apps in total.

Handy green icons in your app list will give you a quick overview about what kind of permissions each app has. Tap on the blue circle next to the app name to customize the permissions you give that particular app.

I've decided to leave Chrome's permissions alone, based on the "if I can't trust Google, I'm screwed by having an Android device" principle.

Her are the permission settings for another one of my apps, Barcode Scanner+.

Tapping on "Block App" doesn't necessarily block the app completely; instead it gives you the option to selectively enable or disable its permissions.

As Barcode Scanner+ uses my phone's camera to scan QR codes and UPC codes, disabling the Camera permission would defeat the purpose of the app. Here's what I chose to enable and disable.

I cannot see why Barcode Scanner+ should be able to activate or use WiFi, but it obviously needs my camera, and its NFC (near field communication) and mobile data (3G or 4G) functions could be useful, so those are risks I'm willing to take.

I went through each and every one of my apps via SnoopWall, and I set their permissions to my liking, being mindful to not disable permissions that could impair app functions I'd like to have, or would prevent my device from working properly. As I have over 250 apps, it was a long and tedious process, but well worth it.

One thing I don't like about SnoopWall is that running the app forces Bluetooth to be turned on. Leaving Bluetooth on when you're not using Bluetooth peripherals with your phone or tablet can be an unnecessary drain on your battery. Bluetooth can also be used for a third party to obtain malicious access to your device, so for security reasons, Bluetooth should only be turned on while you're using it.

So, after I set my app permissions with SnoopWall, I went into my system app settings (in the OS, not in SnoopWall) and disabled SnoopWall from running. Then, I was able to turn Bluetooth off again. Based on what I know about how Android apps work, I assume the app permission changes I made via SnoopWall are still set.

There are other third party apps that you can install on your Android device to manage your app permissions. You may give them a try, but keep in mind that I haven't yet installed and tried them on my phone.

Advanced Permission Manager (https://play.google.com/store/apps/details?id=com.gmail.heagoo.pmaster) is supposed to work on Android Froyo 2.2 and every later version of Android.

F-Secure App Permissions (https://play.google.com/store/apps/details?id=com.fsecure.app.permissions.privacy) is supposed to work on Android 2.3.3 Gingerbread and up.

Fix Permissions (https://play.google.com/store/apps/details?id=com.stericson.permissionfix) is supposed to work on versions of Android as old as 1.6 Donut. But regardless of the version of Android you install it in, your device must be rooted.

You'll find many other permission control apps in the Google Play store, as well. Be conscientious about which app you choose, and how you operate it. Most importantly, look at the user ratings of the app, and the user reviews. I wouldn't install any app that has less than four stars.

I hope in the future that Google's Android development team decides to reverse the decision they made for KitKat 4.4.2. I hope future versions of Android allow app permission customization without being hidden (as in 4.3) and without requiring root. They could always design the program so that users are warned to customize permissions at their own risk.

Your Android device should be fully in your control, and you should be able to customize functionality with security in mind, so that Android app developers can't take control or security away from you.

References

How App Permissions Work & Why You Should Care

http://www.makeuseof.com/tag/app-permissions-work-care-android/

Android 101: What some of those scary application permissions mean

http://m.androidcentral.com/look-application-permissions

System Permissions | Android Developers

http://developer.android.com/guide/topics/security/permissions.html

App to manage Android app permissions

http://www.theregister.co.uk/2014/01/07/app_to_manage_android_app_permissions/

KitKat update removes app permission toggle

http://news.cnet.com/8301-1009_3-57615607-83/kitkat-update-removes-app-permissions-toggle/

App Ops: Android 4.3's Hidden App Permission Manager, Control Permissions for Individual Apps!

http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/

Permission Manager | Google Play

https://play.google.com/store/apps/details?id=com.appaholics.applauncher

AppOps Launcher | Google Play

https://play.google.com/store/apps/details?id=com.pixelmonster.AppOps

SnoopWall Antivirus Privacy Firewall | Google Play

https://play.google.com/store/apps/details?id=com.snoopwall.android

Advanced Permission Manager | Google Play

https://play.google.com/store/apps/details?id=com.gmail.heagoo.pmaster

Fix Permissions | Google Play

https://play.google.com/store/apps/details?id=com.stericson.permissionfix

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.