Simplified Permissions UI In The Play Store Could Allow Malicious Developers To Silently Add Permissions

The latest version of the Play Store hit the scene a little over a week ago and introduced a tweak to the way permissions are displayed at install time, and it left some people feeling a little...uncertain. Gone is the ugly wall of poorly spaced, semi-specific permissions. The replacement is a short set of simplified categories, each with crisp-looking icons and buttons that reveal a brief description when tapped. Google filtered through roughly 145 permissions and narrowed them down to a dozen groups, plus one bucket for anything that remains. The list can be found here.

^{Left: old Play Store. Middle and Right: new Play Store}

It's safe to assume Google discarded the old interface to make the install process a bit less distracting and more comfortable. After all, a granular list of specific technologies, sensors, and communication methods could be a bit daunting to the non-tech savvy people that make up the majority of Android's user base. For users that still want to see the previous version of the permissions list, it's still available at the bottom of the app page, accessible through a link titled "View details." A similar display is also present on the web store.

The Catch

Unfortunately, this relatively simple revision has introduced a few potential security and privacy issues. The first concern is one of simply hiding more serious permissions in innocently named groups. For example, the rights to reroute outgoing calls and modify the call history log are found in the "Phone" category.

The real problem becomes visible with app updates through the Play Store. When new permissions are added, there are no outwardly visible signs that anything has changed so long as no new categories are added. For example, an app that had already been authorized to read the call log can add permissions to make calls without intervention, and there will be no warning when it comes time to download the update. In the past, app updates clearly identified new permissions and prompted users to authorize each update before it could be downloaded.

Note: Installing or updating apps using an apk on the device (or another app store) will still display the standard permissions screen, which displays the full list without modifications.

^{Left: Play Store update with new categories. Center and Right: Updating locally from an apk.}

Another aspect of this situation to be worried about is the 'Other' category. All permissions that don't fit within the 12 regular groups are dropped into this bucket. This can include some perfectly common and innocuous items like running at startup and preventing the phone from sleeping. However, it also includes more powerful features like drawing on top of other apps, reading and writing web bookmarks, and accessing Bluetooth and NFC. Most -if not all- of the permissions in this group won't even trigger the Other category to appear during installation, giving the appearance that an app has virtually no access.

3rd-Party App Permissions And Root

3rd-party apps can create their own custom permissions, and those are bundled into the Other category as well. Fortunately, these specialized permissions will always activate this listing, but it's not clear if they will always flag users for manual confirmation if the group is already present. One of the most important examples of this is ACCESS_SUPERUSER, the permission used to communicate with SU managers like Chainfire's SuperSU and Koush's Superuser. At this time, the only text reflecting this permission simply reads, "full permissions to all device features and storage." (Note: These descriptions are provided by whichever superuser app is installed on a device. That text is currently identical for both apps.) Of course, Root managers generally prompt users before acting on a request for root, but the entire point of the permission was to make root apps more visible in the Play Store.

^{Left: SetCPU with the barely visible root permission. Right: Twitter app with its own permission (both are on the second line).}

Combining fairly non-threatening group names and with a lack of transparency could make it easy for less honorable app developers to take advantage of unsuspecting users. The Play Store is effectively burying some very powerful features where users aren't likely to notice them. As many people have been pointing out, something as generic as a flashlight app with access to the camera (required to turn on the LED flash) can be quietly updated with new permissions and code to record video and audio without notifying the user, then they can send anything collected over the Internet. While examples like this may sound alarmist, we can probably expect this behavior eventually.

Why Make This Change?

Allow me to play devil's advocate for a moment. These changes aren't exactly great for users that keep a watchful eye for new permissions. But how many people actually read the permissions when they install an app? When presented with a sizeable scrolling list, filled with vague phrasing and unfamiliar terms, most people tap through the dialog without giving it a thought. If users already don't know what they've agreed to, it hardly matters when similar permissions are added. I can already hear the groans, and I know you're dying to jump straight to the comments to tell me how I'm wrong — but trust me, I'm right.

It's not that people shouldn't know what they are allowing apps to do, but most of them simply aren't qualified to understand it, or they just don't care. Google is slowly adding policies and banning apps that are indisputably bad, but only so much can be achieved without directly curating the Play Store like Apple, Microsoft, and Blackberry have done.

In an ideal scenario, this will ultimately end with an overhaul of the Android permission system, which has scaled admirably with the changing demands of the market, but there are certainly areas for improvement. We're more likely to see further refinements to this interface, possibly with some hints when higher-risk permissions are added to the list.

Whatever the case, it would be wise to keep a closer eye on updates and abnormal behavior of your installed apps, at least those that aren't from highly trusted sources.

Source: Google

Special thanks to iamtubeman.