Hello Everybody,
I would like to ask a question about Android Apps permissions:
If I deny one permission for a particular App, does that mean the App has zero access to the denied permission?
Or is there a possibility for the App to bypass the permission restriction and access the user Data anyway?
Is our Data really safe and respected by Apps whe we deny certain App permissions?
I would like to have a good understanding about the accuracy of Android Apps permission restrictions.
Please let me know.
Thank you
What permissions an app has is determined by app's developer. These are by default granted, but can get revoked by user - what may lead to fact that app no longer works.
Each app runs in a sandboxed VM therefore basically it only has access to the data tied to it, means app A can never access app's B data. User data like photos, musics, videos etc.pp typically can get accessed by all apps because they aren't specific to an app.
jwoegerbauer said:
What permissions an app has is determined by app's developer. These are by default granted, but can get revoked by user - what may lead to fact that app no longer works.
Each app runs in a sandboxed VM therefore basically it only has access to the data tied to it, means app A can never access app's B data. User data like photos, musics, videos etc.pp typically can get accessed by all apps because they aren't specific to an app.
Click to expand...
Click to collapse
Thank you for taking some of your time to explain this to me. I appreciate it.
Related
The latest Camera360 update demands a strange and dangerous permission - "Change WiFi State". This is defined as follows:
"Allows the app to connect to and disconnect from Wi-Fi access points, and to make changes to configured Wi-Fi networks."
The apps already has internet access. But change WiFi state means it can not only turn your WiFi on and off, but it can add or delete to your access points, and read/change other information like encrypted passwords.
I emailed the developer (in China) and they just keep emailing me back asking what version I am using. He obviously doesn't want to answer the question!
I've noticed this "permission creep" in many other apps. The latest Firefox Android app wants access to global system setting, address book, and accounts. The latest YouTube app can take pictures and videos without your knowledge.
There are a few apps that I no longer update. I also use DroidWall to block cameras and other apps from internet access.
Stay Away from Camera360!
I use droidwall as well, actually extensively. I block everything but the necessities.
Sent from my LG-P999 using xda app-developers app
Thanks for the heads up.
Sent from my LG-P999 using xda premium
Now that look at it, some of the permissions that Camera360's Chinese developers want are pretty scary:
https://play.google.com/store/apps/details?id=vStudio.Android.Camera360
Here are the most dangerous as of today:
NETWORK COMMUNICATION
FULL INTERNET ACCESS
Allows the app to create network sockets.
YOUR PERSONAL INFORMATION
READ SENSITIVE LOG DATA
Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the tablet, potentially including personal or private information. Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information.
PHONE CALLS
READ PHONE STATE AND IDENTITY
Allows the app to access the phone features of the device. An app with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
SYSTEM TOOLS
RETRIEVE RUNNING APPS
Allows the app to retrieve information about currently and recently running tasks. Malicious apps may discover private information about other apps.
CHANGE WI-FI STATE
Allows the app to connect to and disconnect from Wi-Fi access points, and to make changes to configured Wi-Fi networks.
Camera 360 Browser Popups!
The Chinese developers that made Camera 360 removed the draconian permissions. But now, it has a more evil behavior. When you start your phone, Camera 360 starts a background process that displays popup ads on some websites with the default Android browser!
Thread on it here:
http://forum.xda-developers.com/showthread.php?p=33130018
Uninstall Camera 360 and watch your phone and your browser run faster!
Uninstalled :good:
Shouldn't this thread be a sticky, and, posted somewhere owners of all different models of phones will see?
Also, surely there must be some kind of app which lets you install apps without actually granting them those permissions? Some kind of permission stripper?
I'm not sure of any apps that control permissions directly but the is one called DroidWall which can block apps from communication over WiFi and/or your mobile network. Needs superuser/root access.
Sent from my LG-P999 using xda app-developers app
Pdroid, need to make a patch for ROM of choice, but it works like a charm!
Sent from my Nexus 7 using xda premium
Bob Tums said:
I'm not sure of any apps that control permissions directly but the is one called DroidWall which can block apps from communication over WiFi and/or your mobile network. Needs superuser/root access.
Click to expand...
Click to collapse
I have DroidWall, and Camera360 is blocked internet access. But it is still able to hook into the Android browser and show popups.
Not sure how that happens. You can try downloading AdAway from the market and see if that gets red of it.
Sent from my LG-P999 using xda app-developers app
So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Kblavkalash said:
Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Kblavkalash said:
So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
edit
MichaelTunnell said:
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Click to expand...
Click to collapse
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Security Apps
Hi,
in my eyes the best way is to use programs like PDroid. You cann adjist the rights of every App regarding send SMS for example.
LBE Privacy Guard may be also an Option. (runs not on my Device - SGS+)
(i use Pdroid 2.0)
you should also read the comments in the store, and the needed rights from the app before install. The best Apps to trust are open source apps.
Kblavkalash said:
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Click to expand...
Click to collapse
Research generally involves a Google search...
Editor's Choice in the market are safe bets, you know, the blue icon.
But then there are the millions of other apps, and frankly, I tend to toe the app name plus xda for instance, Google will show you xda threads about the app, if the posts are normal, you can be sure it's not malicious.
Stuff like that...
Also, fake market comments are really easy to spot and are a dead giveaway
Sent from my GT-I9000 using xda premium
I'd like to pone a privacy problem.
In Android ,installed apps require permissions to operate. Permissions to access the Phone Id (also the IMEI) or the position of the device or the access to your calls seem very common in most apps on the market.
Permission for the position seems ok for a Gps navigation program but also for an alarm clock? Where do they sent my data and what use they do?
I use LBE privacy guard but it is enough?
what do you think?
Toriko said:
I'd like to pone a privacy problem.
In Android ,installed apps require permissions to operate. Permissions to access the Phone Id (also the IMEI) or the position of the device or the access to your calls seem very common in most apps on the market.
Permission for the position seems ok for a Gps navigation program but also for an alarm clock? Where do they sent my data and what use they do?
I use LBE privacy guard but it is enough?
what do you think?
Click to expand...
Click to collapse
are you a thief?? :laugh:
Most of the permissions are for ads bases on location
Batcom2
xxXismakillXxx said:
are you a thief?? :laugh:
Click to expand...
Click to collapse
No, but I'm thinking about it. Seriously, have you ever wonder why you get web searches, translations and other services for free and yet the companies that handle the sites are billionaires? Because they sell your personal data and your commercial preferences to other companies without your permission. Think about it when you post your personal data on the web.
zelendel said:
Most of the permissions are for ads bases on location
Batcom2
Click to expand...
Click to collapse
I'm not so sure about that. However if I buy an ad free app , there shouldn't be any ads. And why an alarm clock need my phone id and can access my call log? It's fishy.
Toriko said:
I'd like to pone a privacy problem.
In Android ,installed apps require permissions to operate. Permissions to access the Phone Id (also the IMEI) or the position of the device or the access to your calls seem very common in most apps on the market.
Permission for the position seems ok for a Gps navigation program but also for an alarm clock? Where do they sent my data and what use they do?
I use LBE privacy guard but it is enough?
what do you think?
Click to expand...
Click to collapse
Rule of thumb: Every app that asks for unique device numbers, location and a backchannel does so because it contains advertisement. Advertisers simply love to track customers and find out as much as possible about them in order to deliver ads that actually result in a sale (contrary to popular belief, they don't do that just to annoy the crap out of everyone).
Personally, I don't use LBE privacy guard. I haven't seen the source and that pretty much means it is as much a blackbox as the apps, it is suppose to protect me from. For me, rooting and installing a firewall to simply block the backchannel does the trick.
If u filter out apps for their permissions, u will have nothing but the system apps left on the phone! even I used to check permissions b4 downloading at the beginning. Then as I downloaded a lot of apps i was lazy enough to give a dang to wat permissions the app wants! just see through the comments (reviews) to know if there are any issues with the app! That's it.! And nowadays the app developer tries to explain the reason for each permission the app asks for. So sooner all apps are gonna be explaining their permissions! (hopefully)
zelendel said:
Most of the permissions are for ads bases on location
Batcom2
Click to expand...
Click to collapse
This is true although some use it to collect app usage information for the purpose of improving the app. Unfortunately, it can be difficult to determine exactly why a particular permission is requested.
onyxbits said:
Personally, I don't use LBE privacy guard. I haven't seen the source and that pretty much means it is as much a blackbox as the apps, it is suppose to protect me from. For me, rooting and installing a firewall to simply block the backchannel does the trick.
Click to expand...
Click to collapse
Installing a firewall won't solve the problem, because you can't stop apps that need connection : together with the access to the net they send your data. LBE allows the access for the app but block the transmission of your id together with other data.
Anyway LBE also works as a firewall. There's another app that works the same way (Pdroid) but supports only Gingerbread.
Hi there,
I am a newbie with Android and smart phones.
As an old-school tech, from Windows 3.0 to Gnu/Linux, I want for long time avoid all GAFAM stuff and keep a bit of privacy and security.
I came across the Exodus site and try to find app with zero tracker and minimum permission.
Do you care about that?
Do you use FOSS apps?
Do you have a list of usual apps that fulfill your need AND privacy?
Any help, advise, list of apps (browser, messaging, files management, maintenance, ...) are welcome.
Thank you
IMHO it doesn't matter where you fetch apps from: F-Droid, Google Play Store, etc.pp.
Apps typically request normal premissions and dangerous permissoins.
Dangerous persmissions are
READ_CALENDAR
WRITE_CALENDAR
CAMERA
READ_CONTACTS
WRITE_CONTACTS
GET_ACCOUNTS
ACCESS_FINE_LOCATION
ACCESS_COARSE_LOCATION
RECORD_AUDIO
READ_PHONE_STATE
READ_PHONE_NUMBERS
CALL_PHONE
ANSWER_PHONE_CALLS
READ_CALL_LOG
WRITE_CALL_LOG
ADD_VOICEMAIL
USE_SIP
PROCESS_OUTGOING_CALLS
BODY_SENSORS
SEND_SMS
RECEIVE_SMS
READ_SMS
RECEIVE_WAP_PUSH
RECEIVE_MMS
READ_EXTERNAL_STORAGE
WRITE_EXTERNAL_STORAGE
and only become activated if user clicks ALLOW to them: so it's on user what permissions can be used by an app.
So-called normal permissions get allowed by default without any user interaction.
jwoegerbauer said:
and only become activated if user clicks ALLOW to them: so it's on user what permissions can be used by an app.
So-called normal permissions get allowed by default without any user interaction.
Click to expand...
Click to collapse
I you sure only normal permissions get allowed by default without any user interaction? and where can I separately allow or deny them? Is there a place where all these permissions are explained and what I'll block in the app when denied?
What about tracker? Is it possible to deactivate them?
I think trackers are more intrusive than permissions. Am I right?
MrNice said:
I you sure only normal permissions get allowed by default without any user interaction? and where can I separately allow or deny them? Is there a place where all these permissions are explained and what I'll block in the app when denied?
What about tracker? Is it possible to deactivate them?
I think trackers are more intrusive than permissions. Am I right?
Click to expand...
Click to collapse
Yes, only normal permissions get allowed by default, the apps will ask for the rest of them and you can deny them if you want. Also the only way to disable trackers is with aurora appwarden or trackercontrol, but sometimes the apps with disabled trackers could crash.
@MrNice
an app only can track you if it has the related Android permission granted to do so.
The Penguin said:
Also the only way to disable trackers is with aurora appwarden or trackercontrol,
Click to expand...
Click to collapse
jwoegerbauer said:
an app only can track you if it has the related Android permission granted to do so.
Click to expand...
Click to collapse
Hummm, for me, these 2 sentences look like an oxymoron.
Could you explain?
My last 2 cents here:
An app doesn't have trackers, it only has granted permissions, but an app may behave as tracker - where it doesn't matter whatever it will track - if it got granted the related permissions.
Have a nice day.
I use Karma Firewall to log/see what's accessing the internet and block it if needed.
Many don't need internet access to be functional.
Some of the worst offenders I uninstalled.
Gookill is the worst offender, I keep Google play Services and Playstore disabled 99% of the time.
Some freeware apps are perfect. They do nothing except what they're suppose to do and never attempt internet access; keepers.
When we deny/ block certain permissions to apps, how does Android (or iOS) enforce this?
There are two ways of enforcing this setting:
1. System tells the app not to ask for the permission because the user has denied it.
2. App keeps trying to access the particular permission, and the system continuously blocks it.
For example, if we deny location permission to an app, does the app no longer request location access, or does it keep trying to access location and system keeps blocking it?
If method 1 is how it works (and I doubt it), it would be great for performance and battery life.
If method 2 is how it works (and I think this is how it works), then the app would likely continue to drain battery even more than what it would if the permission was granted.
Can someone explain how this works?
Thanks.
TheMystic said:
When we deny/ block certain permissions to apps, how does Android (or iOS) enforce this?
There are two ways of enforcing this setting:
1. System tells the app not to ask for the permission because the user has denied it.
2. App keeps trying to access the particular permission, and the system continuously blocks it.
For example, if we deny location permission to an app, does the app no longer request location access, or does it keep trying to access location and system keeps blocking it?
If method 1 is how it works (and I doubt it), it would be great for performance and battery life.
If method 2 is how it works (and I think this is how it works), then the app would likely continue to drain battery even more than what it would if the permission was granted.
Can someone explain how this works?
Thanks.
Click to expand...
Click to collapse
The first one if it's update to support the current SDK. App comunicate a request system-level (permission) and ask you to choose.
Granting / revoking permissions is done at app's level and controlled / noted by Android OS:
Permissions on Android | Android Developers
developer.android.com
Keep in mind that once an app has permission to use something, it can do so whenever it wants. While an app might have a legitimate reason for accessing your location, it could also check your location in the background every so often and send that data to advertisers - what will drain battery, of course.