Google recently made a change to the way it handles permissions on the Play Store. Related permissions are now grouped together when you update. This makes it simpler to see what’s happening, but it has some potentially worrisome implications.
As Android Police explains, in the past, when Google would update apps via the Play Store, the user would be notified if any new permissions were added. Under the new system, a user will only be notified that there’s been a change if a new group is added. This also means that if you update apps automatically, permissions can be added without your knowledge:
The real problem becomes visible with app updates through the Play Store. When new permissions are added, there are no outwardly visible signs that anything has changed so long as no new categories are added. For example, an app that had already been authorised to read the call log can add permissions to make calls without intervention, and there will be no warning when it comes time to download the update. In the past, app updates clearly identified new permissions and prompted users to authorise each update before it could be downloaded.
This doesn’t necessarily make everything a free-for-all. As stated, a permission has to be in an already-approved group in order to be added. However, there doesn’t seem to be much in the way of risk prioritisation. You can read more about the implications of this change at Android Police’s rundown below. As always be sure to read and research permissions thoroughly before installing or updating an app you’re not sure you trust.
Simplified Permissions UI In The Play Store Could Allow Malicious Developers To Silently Add Permissions [Android Police]
Comments
One response to “Android’s Permissions May Allow Devs To Silently Add Privileges”
That defeats the purpose of having a graded permissions system. Do No Evil inc really needs to implement the ability for me to approve each permission requested, then developers will be more careful about what permissions they ask for or people will just not install the app.
They could even do it in Play, when installing an app just have a checkbox next to the permissions for me to allow/deny, if there are too many people will just not install the app. They would have to include a ‘Give it whatever it wants’ button as well for those that dont care and would otherwise not install anything (though granted those are typically the ones that need more protecting, perhaps a permissions feedback system to help those that want to protect but dont understand enough yet)
App developers should also be forced to explain why they want each permission.