“Asking for too many permissions is dangerous,” ESET malware researcher Lukas Stefanko explains. He is referring to app developers requesting access to data and functionality on a user’s smartphone that they do not need to run their apps. It has been known for some time that this has become a scourge on Google’s Play Store, putting millions of users and their privacy at risk.
And so it is little surprise that Google has now acted to exert some control. The company introduced a new “nudge” for developers towards better privacy safeguards last year, warning those asking for too many permissions, suggesting they have a rethink. “We are pleased to say that in the first year after deployment,” the company has now said, “nearly 60% of the warned apps removed permissions—across all Play Store categories.”
But here is the surprise: The campaign to reduce permissions has already impacted a truly staggering 55 billion Play Store installs.
Permission-abuse is often seen as more of a nuisance than a threat. But Stefanko warns “these permissions can be misused as an exploit to access more device components, such as call logs, phone numbers, and browsing history.” And those exploits can render a device vulnerable and compromise user data.
Earlier this month, I reported on a government-linked Chinese firm “secretly” behind “24 popular apps seeking dangerous permissions.” These trivial utility and entertainment apps were all requesting unnecessary device permissions—such as access to the camera, microphone, phone and location. Some of the apps were allegedly sending user data to China. I shared the findings with Google, and those apps—with 380 million installs—were pulled from the Play Store.
“We take reports of security and privacy violations seriously,” Google told me at the time. “If we find behaviour that violates our policies, we take action.”
While that Chinese example is at the extreme end of permission-abuse, the problem of apps seeking more on-device access than they need is widespread. Last year, a Google research project acknowledged user “discomfort or concerns” when apps request “unnecessary or intrusive” permissions. But Google also said that “encouraging app developers to request fewer permissions is challenging,” given the potentially legitimate reasons behind such requests.
Google’s novel response has been to compare each app to its peers, identifying those that seem to be asking for more than they should, and alerting developers when that’s the case. In its update today, Google says “we aim to help developers boost the trust of their users—we surface a message to developers when we think their app is asking for a permission that is likely unnecessary.”
Google also explains that “determining whether or not a permission request is necessary can be challenging,” but there are stark differences between “core functionality,” and what Google describes as “personalization, testing, advertising, and other factors.”
The crux is that trivial apps do not need most of the permissions they request. And from a user perspective, granting access to device functionality and data for “testing and advertising” does not add any value. Such permissions should be limited to core functionality, unless there’s clear transparency and tacit permission from a user based on the facts: what, why, for how long.
This was highlighted last year, when one security researcher examined flashlight apps to prove the point. “The alarming truth,” Avast’s Luis Corrons said, “is that the average number of permissions requested by a flashlight app is 25.” The ten worst offenders had accumulated almost 5.5 million installs between them.
There’s a downside for developers in permission-abuse. Google warns that “when users are given a choice between similar apps, and one of them requests fewer permissions, they choose that app.” A point also made by Stefanko.
But Stefanko makes another related but much more worrying point. “Apps many times use external SDKs [software libraries]. If the app requests permissions and doesn’t use them for its functionality, it doesn’t mean that the included SDK will not request a user to activate it, exploiting it to gather user data.”
This links to claims that malware samples use legitimate apps as Trojan Horses to gain access to target devices. And Google backs this up in its update. “This warning helps to remind developers they are not obligated to include all of the permission requests within the libraries they include inside their apps.”
All that said, this remains a voluntary scheme. “We let the developer make the final call as to whether or not the permission is truly necessary,” Google says. And this means there is still too much permission-abuse on the Play Store. Around 60% of apps warned by Google modified their requests. But that means that around 40% did not. There is no data as to the number of those installs.
And so to the final word of caution. There are no user warnings in this approach. You can check the permissions being requested or that have been granted through the settings on your phone, and you should do this. Above all, though, take care the trivial apps you allow onto your device in the first place.
This represents the latest move on Google’s part to better police the Play Store. And as worrying as permission-abuse might be, there are much more dangerous risks to be found on the store. A week ago, for example, I reported on Joker and Haken samples slipping through Google’s security net.
What Google is doing needs to be welcomed, as does its other efforts such as the App Defense Alliance. Personally, I would like to see this evolve from a voluntary scheme to a mandatory one. The data now exists within Google’s systems to identify the worst offenders for permission-abuse. And it stands to reason that malicious actors misusing permissions will ignore any alerts. Let’s hope the next phase brings down the curtain on those bad actors.[/vc_column_text][/vc_column][/vc_row]