Google Play Store UI change means apps can silently gain access to deadly permissions


Google recently updated the Android app version of the Google Play Store, which supposedly simplified the permissions interface for everyday users. But as reports and developer accounts around the Web are suggesting, Google may have made a huge error in allowing these changes to become real.

 

The crux of the problem is that with the latest Play Store app, new permissions sought by an app during the course of an update, are hidden away from the update dialogue, under certain fairly common situations. Novice or non-power users cannot see which new permissions have been asked for unless they cancel the update and go back to the app details page and find the exact new permissions.

 

The security issue arises when an app already has access to a permission group such as Contacts and Calendar, or Phone, or Photos/Media/Files. When being updated, it can now gain access to any sub-permission within these groups, without notifying the user right then and there.

 

This obviously was done so as to not confuse novice or non-power users with a screen showing a whole lot of new permissions. Sure it makes a lot sense, but it also puts these very users at risk. A power user can dig around within granted permissions to see if something is amiss. But that’s not the case with someone who may not know what a particular permission means.

 

For example, the “Phone” permissions group allows access to directly call phone numbers, which is useful in a variety of different contexts, such as in a restaurant review app where you can call and reserve a table through the app itself. However, sub-permissions within this group allow an app to read and write your call logs, which means it can make calls and delete them from your log. It could reroute outgoing calls to different destinations, such as premium rate numbers. So If ‘X’ app already is allowed one permission within the ‘Phone’ group, it can gain access to any number of permissions under it, without making it clear to the user that it has gained these.

 

This was not the case earlier and in fact, instead of making users more secure and less likely to succumb to malicious apps, Google has made this change which is thoroughly baffling.

 

Previously, when an application update requested additional permissions even within the same group, users would be notified and have to accept the change before updating. This could have made a lot of new users extremely wary, especially if the permissions screen had too many new permissions. Some users might not even fully understand these permissions. Previously, apps which needed new permissions would have to be updated manually, after the user physically confirming that they were allowing the app these permissions.

 

What the new system does is allows security threats to come from literally any corner. If you have been using an app habitually, it becomes essential to your smartphone experience. Now, when it updates, it can silently add new permissions within groups it already has existing permissions in.

 

Another huge security threat comes from the fact that access to the Internet is a permission hidden under ‘Other’. That’s usually used to describe an impertinent group, and we can see the reasoning considering most apps need access to data. But the change allows any app to gain access to the internet silently, with the user clueless.

 

In a Reddit post, iamtubeman revealed the extent to which the new system could damage a user’s life. To illustrate the gaping hole, he created an app, which asked for these permissions:

android.permission.GET_TOP_ACTIVITY_INFO

android.permission.GET_ACCOUNTS

android.permission.ACCESS_COARSE_LOCATION

android.permission.WRITE_CALL_LOG

android.permission.READ_EXTERNAL_STORAGE

android.permission.SUBSCRIBED_FEEDS_WRITE

 

He then updated the app and published the new version on the Play Store, which asked for further permissions within groups the app had already been allowed permissions to.  These wouldn’t be immediately visible to an average user who doesn’t know what permissions are meant to be. The updated app demanded and easily got the following permissions:

android.permission.READ_HISTORY_BOOKMARKS

android.permission.READ_PHONE_STATE

android.permission.ACCESS_FINE_LOCATION

android.permission.ACCESS_LOCATION_EXTRA_COMMANDS

android.permission.READ_SMS

android.permission.RECEIVE_MMS

android.permission.RECEIVE_SMS

android.permission.SEND_SMS

android.permission.WRITE_SMS

android.permission.WRITE_EXTERNAL_STORAGE

android.permission.MOUNT_FORMAT_FILESYSTEMS

android.permission.MOUNT_UNMOUNT_FILESYSTEMS

android.permission.SUBSCRIBED_FEEDS_READ

 

With this seemingly innocuous update, the app could monitor and store your internet bookmarks, access phone state, which is a gateway to your IMEI number, SIM contacts, SIM messages and also track you using GPS in real time since it has access to fine location. The extra commands permissions allows it to upload location data to a server, which is what many fitness tracking apps use. Your SMSes could be monitored, read and stored on the cloud, and your documents and files on the SD card are an open book. Needless to say all that data being leaked to some unknown hacker or attacker can lead to seriously bad consequences for everyone.

 

Google has to take steps to reverse this change and it better be working on it already, considering they have already got the attention of the biggest Android community voices on the Internet.

 

XDA Developers had harsh words for Google. “What on Earth was Google thinking this was implemented? Perhaps now is time to say “Sayonara” to Google Apps, and take a look at alternatives that better preserve your privacy and give you control over your own data.”

 

There’s a general agreement that Google has done a disservice to its users with this change and needs to overhaul the permissions screen and usage, and perhaps even the terminology used. “In an ideal scenario, this will ultimately end with an overhaul of the Android permissions system, which has scaled admirably with the changing demands of the market, but there are certainly areas for improvement,” Android Police said, in its report on the loophole.

 

There’s a lot Google can learn from Apple, but nobody wants Android to go the iOS way, where permissions are tackled on a per-session basis. That makes for distracting UX, in comparison to the fluidity that Android’s system espouses. However, it’s not asking for too much if Google can make the language used in permissions easier to understand and be up front about what new permissions, even if they are trivial and minor, an app needs access to.

 

As XDA points out, “I would place a lot of money on app developers hating this. And if they did, I’d feel as if I did my job right. This would mean that users were taking back control of their devices and their data.”

 

Time for Google to act.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.