General perception is that more permissions = less privacy (which is true), hence smart and privacy conscious users deny and may feel safe. But are you really safe? If you use an Android smartphone and feel good about being picky about which permissions to allow then read on.
There are primarily three types of permissions in Android — Normal, Dangerous & Signature. Dangerous permissions are considered high-risk, hence, the user has to explicitly allow these permissions (upfront in Android Lollipop & at run time from Marshmallow onwards). Signature permissions are given to the app at OS level by phone manufacturers.
I will talk about Normal Permissions (classified as PROTECTION_NORMAL), which do not require any user permission and there is no way a user can deny or revoke these permissions in any Android version from any settings whatsoever. Google classifies them as normal because they feel there is no risk involved. Here are some of the Normal Permissions and the possible risk they may carry:
- DOWNLOAD_WITHOUT_NOTIFICATION: App can download any content include Adware without alerting the user.
- GOOGLE_AUTH: Apps can get the email address used for Google accounts. Good way to collect email database.
- GOOGLE_AUTH.wise: Allows Apps to secretly sign into Google Spreadsheets without informing the user.
- GOOGLE_AUTH.writely: Allows Apps to secretly sign into Google Docs without informing the user.
- KILL_BACKGROUND_PROCESSES: App can kill any running process, including any anti-virus or anti-malware and then launch an attack.
- launcher.WRITE_SETTINGS: App with this permission can modify the settings of Android’s Launcher & icons. Apps could use this to place (misleading) icons on your home screen to trick you to click on it. Icon can look like a mail icon.
- READ_EXTERNAL_STORAGE: App can read any document or sensitive data on your SD card. (Deprecated after API 19)
- READ_SYNC_STATS: Apps can read the sync stats for any background sync to Facebook or Gmail, including the history of sync events and how much data is synced.
- RECEIVE_BOOT_COMPLETED: App gets to know when you restart your phone and force itself to launch on boot. Can strain your boot process & memory too.
- REORDER_TASKS: Allow Apps to bring itself to Foreground if running in the background. Suddenly an app running an ad can force itself to be seen.
- SUBSCRIBED_FEEDS_READ: Apps can read your RSS feeds and create your persona based on interests.
- WRITE_USER_DICTIONARY: This permission allows App to add custom words to your dictionary which can be used during auto-correct. The misuse possibilities with this are endless.
There are several other permissions like ACCESS_NETWORK_STATE, ACTIVITY_RECOGNITION, FLASHLIGHT, GET_ACCOUNTS, SET_WALLPAPER which do not require any permission and a smart rogue developer can misuse by combining a few of them.
Even though I have turned off all permissions for Facebook App, it still has access to all the permissions I listed above.
Bottom line: Be selective about which apps you download on your Android phone. While you can control the access to dangerous permissions, you may be at risk just by downloading some apps.
[This post by Deepak Abbot first appeared on Medium and has been reproduced with permission.]