Google just made a huge change to the way application permissions work on Android devices which has left a potential door open to malicious app developers and hackers.
Google narrows down Android’s 145 permissions into 13 broad categories and groups app permissions into ‘groups of related permissions‘, likely for Android users to have an easier time dealing with app permissions.
Unfortunately, the new update has introduced a few potential security and privacy issues, as listed below:
- hiding permissions behind the group names
- auto-updating app with no warning for new permissions
According to new update, once a user approves an app’s permissions, he actually approves the whole respective permission groups. For example, if an app want to read your incoming SMS messages, then it requires the “Read SMS messages” permission. But now installing an app, you are actually giving it access to all SMS-related permissions.
The app developer can then include additional permissions from ‘SMS-related permissions Group’, in a future update, which will not trigger any warning before installation.
Google explains, “If you have automatic updates enabled, you won’t need to review or accept these permissions as long as they are included in a permissions group you already accepted for that app.”
If your Android apps update automatically, then malicious developers can gain access to new dangerous permissions without your knowledge by abusing this mechanism, though a smart user could manually view all permissions in a dropdown before installation, but one out of thousands does that.
For example, as you can see in the above screenshots – I am installing FIFA’s android app from Google Play Store and before installation the app is asking for group permissions in left image and actual group permissions are expanded in the right-side image.
Similarly, if you install any app with group permissions to read contacts, later that app can secretly gain permission to add or even change calendar entries too.
Below I have listed some most abused Android app permissions that cyber criminals are exploiting for their personal gain:
- GPS Location and Network-based Location
- Read Phone State and Identity
- Automatically Start at Boot
- Modify/Delete SD Card Contents
- Read/Send SMS Messages
- Read/Modify Contacts
I strongly recommend users to disable automatic updates and verify app permissions manually every time an app wants to update.