Avoiding Android App Permission Fraud & Identifying Potential Permission Problems

What do you know about your smartphone? Do you know what it does when you are not using it? No matter how fun it is to have a smartphone and play games while chatting, no matter how convenient and productive it is to have access to documents on the bus without dragging out a laptop, it's no fun to turn your smartphone on and discover that you've become a malware or identity theft statistic. We have all read about Android users resorting to begging Google to reset their phones and remove a malicious Android app, yes? Do you want to be next?

Protection by Understanding Your Android OS

It helps to understand a little about the Android OS and about why permissions are problematic. Android-based devices have so many privacy and virus problems because Google did the right thing - it made Android Open Source, meaning the source code is open to the public. This means that anyone, including malicious hackers, can develop ways to penetrate its security and other systems

Android maintains an open marketplace as well, meaning anyone who has developed an application, an application believed might "make it," could post it to the Marketplace, as there is no real review process, opening the door for problems. While this is the very definition of "Free Market," many hackers take advantage of it, posting malicious Android apps simply because it is fun, or it makes them a penny or two richer.

Understanding App Permissions

To function, most of the apps need to access information on your smartphone, called permissions. When downloading an app, a screen opens in which the user must allow access to personal information, and if the user does not allow this, he or she cannot download and use the app. The problem is that just as most people do not ever read the Terms of Service on a website, people do not read the permissions.

This alone causes the bulk of many problems and is why the simplest thing you can do is read the permissions before you download an Android application of any kind. You might just find that the app does not need the information it wants for it work and if this is the case, you can deny permission, or allow it and watch the app closely for problems such as extra data usage, outgoing calls you did not make and many other problems.

Finding the Permissions Page

Access the permissions page on your computer by using your web browser to visit the Google Android Marketplace online, and then finding the app you want to download, and clicking the "Permissions" tab at the top, far right. If you want to investigate using your phone, go to the Marketplace page, find the app and then press the "menu" button, selecting "downloads." Once that opens, find the application you are investigating, then select the application, and then press menu a second time. Then, finally, press "security."

Here, everything that the app required to run is listed, whether it is necessary to make it work or not. Review this information well, as many innocent looking games ask for permission to access an address book or phone log - some even ask for permission to make phone calls and even change your account passwords! One app in particular, called Jackeey, was caught stealing user information and sending it to china - along with over 300,000 other apps misusing user information.

Alternatively, when you are downloading the app, a page pops up asking you whether you want to allow it access, and here you have the option of checking yes or no. Some of the most common permissions that apps ask for include making phone calls and sending text, SMS, or MMS messages; modifying and deleting SD card data, access address and phone books, set preferences and other options; keep the phone on, and many more, many of which are not needed to make the game or app work.

The screenshot shows the permissions of an app on the Marketplace, and it includes the need for full access to the Internet, in addition to needing permission to write and delete USB data, permission o access the network, and even prevent the phone from sleeping. This is a simple game, and the user must allow it to be able to access these functions at any time.

This same information about permissions should be available on other app stores that offer Android apps, and if they do not, contact the app store and ask for it. If the app store refuses to supply the permissions information, do not download the app and look elsewhere.

Ongoing Vigilance

These permissions may be legitimate functions for a networking package that computer administrators might need, but does a game need to make a phone call while you are sleeping? The rule of thumb is, when in doubt, do not download. Are gaming apps that important that they are worth the privacy risk? If an application requires information and access that you are not comfortable giving, do not allow it, and do not download the app.

One last word about permissions and maliciousness on your Android phone is that you should always watch everything. Check the outgoing call logs, check for unauthorized data access and downloads, changes to your setup preferences or passwords. Check your monthly bill for unusual charges, and make sure that you have a data backup just in case there is a problem. Many of the newer security packages have backup options built-in, in addition to real-time monitors that can be set to detect unusual behavior of Android apps. Download one and use it.

No smartphone is exempt from problems - sorry iPhone owners, but it is true. Look at how to identify the permissions page, and ways to protect your Android-based smartphone - and yourself in the process - from possible privacy problems, and other potential Internet nasties. Knowing what permissions are, and which to avoid protects your phone from potential malicious applications, and helps protect your identity as well as your family's privacy.

References:

"Android App Permissions Explained,"

CZroe "Android Wallpaper App Stole Scores of Users' Data and Sent it to China," Daily Tech

"300,000 Mobile Apps Stealing Data," IT Pro Portal

"Use Permissions to Secure Private Data From Apps," Technically Personal