Android App Permissions and Security - What You Need To Know

4/4/2017 AndroidAppPermissionsandSecurity:WhatYouNeedtoKnow
TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
SIQ PHISHING SIMULATOR
Android App Permissions and

Security: What You Need to Know
POSTED IN WIRELESS SECURITY ON FEBRUARY 5, 2014
SHARE
Wireless
Security
Training
COME CHECK OUT OUR HANDS-ON
WIRELESS TRAINING!
CLICK HERE!
What's this?
Access Control Mobile Security
INFOSEC INSTITUTE INTENSE SCHOOL CERTIFICATION TRACKER Security Policies
http://resources.infosecinstitute.com/androidapppermissionssecurityneedknow/ 1/30
As of this article, Android has the greatest OS market share on both smartphones
and tablets. If you dont own an Android device, chances are that your friends, family
or co-workers do.
The security implications of Android affect many millions of people worldwide who
use their devices for personal reasons. But also, more and more corporations and
governments are either offering their employees corporately administrated Android
devices, allowing Android devices into their networks via BYOD (bring your own
device), or some combination of both. So, using Android insecurely can also
devastate corporations and governments- costing them millions or even billions.
ETHICAL HACKING AND MOBILE PEN-TESTING TRAINING
INFOSEC INSTITUTE INTENSE SCHOOL CERTIFICATION TRACKER
Want to learn more? The InfoSec Institute Ethical Hacking course goes in-depth into the
techniques used by malicious, black hat hackers with attention getting lectures and
hands-on lab exercises. You leave with the ability to quantitatively assess and measure
threats to information assets; and discover where your organization is most vulnerable to
TOPICS black hat hackers. Some
CONTRIBUTORS features of this course
ARCHIVE include:
CAREERS JOB BOARD
Dual Certication - CEH and CPT

5 days of Intensive Hands-On Labs
CTF exercises in the evening
FIRST NAME LAST NAME

* *
COMPANY EMAIL
*
PHONE JOB TITLE

* *
WHO WILL FUND YOUR TRAINING? TRAINING BUDGET

* *
FIND PRICING FOR THIS COURSE
I wrote an introductory article on Android security which covers the basics regarding
malware, privacy, password security, and physical security. This article expands on an
Android security matter which deserves a separate piece of its own: Android app
permission security. Whether you use Android devices for personal or professional
reasons, itd benet you to heed my advice.
Technically speaking, Android is a Linux distribution, because its built on the Linux
kernel. All Linux-based OSes are designed to be able to have multiple user accounts,
which can each have their own sets of permissions, with root having master admin.
In most Linux distros, which are typically run on PCs and servers, such as Ubuntu,
Red Hat, SUSE, Arch and Linux Mint, the user accounts typically represent people
who use the same OS install directly on a PC client, or remotely off of a LAN
connected server. For instance, on the Linux installs we have running off of our PC
hard disks and off of our Linux servers in our server room, my ance and I both have
INFOSEC root/admin
INSTITUTE accounts. So, we
INTENSE SCHOOL both have access
CERTIFICATION to read, write, install, uninstall,
TRACKER
recongure and delete anything. When we run Linux bash commands which require
root, we can simply type sudo at the beginning of the command, enter our
passwords when prompted, and we can do whatever wed like on our Linux
TOPICS machines.
CONTRIBUTORS ARCHIVE CAREERS JOB BOARD
SIQ But, we also

PHISHING set a number of user accounts for our friends and people we work with.
SIMULATOR
We set limited permissions on their accounts. They can download les from the
Internet to their own folders only. They can read, write and delete les from their
own folders only. They may not install any applications without our sudo
authorization. They may not uninstall any applications without our root passwords.
They may only view their own les in their own folders. And nally, they may not
change any OS settings or congurations.
The odd thing about Android is, instead of actual people having user accounts with
associated permissions, the applications themselves each have their own sets of
user permissions. The person using an Android device may install or uninstall
applications, save or delete les, and change OS settings. But to be able to
recongure their device beyond what the Settings app allows, and for further
admin functions, they would need to root their Android device. When an Android
device is rooted, the user has full root permissions, in the same manner as having
root in other Linux distros. Rooting an Android device involves overcoming its
bootloader, and proper rooting procedures vary according to your Android device
manufacturer and model. If youre curious about how to root your Android device,
Google its model name with the word root. XDA Developers is a particularly good
resource for information about how to root nearly every Android device out there.
So, as Ive said, in Android, instead of people having user accounts and permissions,
apps have user accounts and permissions. Each app, including Android OS
components, has its own unique user account.
Regardless of which version of Android youre using, each and every time you install
an Android app (an APK le), the Google Play Store will show you which permissions
the app asks for. Usually, you cannot pick and choose which permissions you grant
to an app. You usually can only decide whether or not to install an app, based on the
permissions it asks for.
I installed a new game on my phone a couple of days ago, Kaizin Rumble: World
Domination. These are some of the permissions the app asked for before I agreed to
install it.
I decided that Im okay with the permissions that app thinks it requires. So, I tapped
on Accept. Modify or delete the contents of your USB storage makes sense,
because the game probably stores game save les and some downloadable content.
Retrieve running apps makes sense if the game uses Facebook, Twitter or Google+
OAuth for authentication, as many Android games do. That permission might also
make it easier for me to switch from the game, to another app Im using, and back
to the game again, without losing any game progress. Full network access is
needed for games which require online connectivity, which is most of them. Read
phone status and identity is necessary for if I receive a phone call while playing the
game. Read call log, read your contacts concerns me a little bit, and Ill turn that
permission off via procedures Ill describe later in this article. Add or remove
accounts, use accounts on the device is probably related to using social network
OAuth to link with my in-game account authentication.
ETHICAL HACKING TRAINING RESOURCES
Want to learn more? The InfoSec Institute Ethical Hacking course goes in-depth into the
techniques used by malicious, black hat hackers with attention getting lectures and
hands-on lab exercises. You leave with the ability to quantitatively assess and measure
threats to information assets; and discover where your organization is most vulnerable
TOPICS toCONTRIBUTORS
black hat hackers. Some features of this course
ARCHIVE include:
CAREERS JOB BOARD
Dual Certication - CEH and CPT

5 days of Intensive Hands-On Labs
CTF exercises in the evening
FIRST NAME LAST NAME

* *
COMPANY EMAIL
*
PHONE JOB TITLE

* *
WHO WILL FUND YOUR TRAINING? TRAINING BUDGET

* *
For the purposes of this article, especially since Im including all kinds of screenshots,
its worth noting that I have a Nexus 4, which is running the latest version of Android
as of this writing, 4.4.2 KitKat.
Malicious apps will probably misuse the permissions you grant it by installing it. Their
permissions may make malicious apps able to make expensive long distance phone
calls or text messages, engage in spyware activities like uploading your private data,
contacts and GPS location, stop your other apps from running properly, or stop you
from being able to change your device settings.
Do keep in mind that even apps that arent really malware, which are popular with
millions of Android users, may use the permissions you grant to track your GPS
location, read your text messages and contacts, or make device setting changes you
wont like. Examples of those include the Facebook app, Yelp, or even some App
Launchers.
You may want to install and use those applications anyway. I do. But I dont have the
Facebook app on my phone. I only use Facebook in my web browser, because I really
dont trust Zuckerberg and company very much.
When apps update, if the permissions they demand change, Google Play will
prompt you with
INFOSEC INSTITUTE
a list of the new
INTENSE SCHOOL
permissions, and let you decide accordingly
CERTIFICATION TRACKER
whether or not to update that app.
So, Ive chosen to install many apps on my phone which may engage in some
spyware functions or do other things to my Nexus 4 that I dont like. But Ive got the
upper hand, because I know how to disable some permissions from my apps. Ill
SIQ show youSIMULATOR
PHISHING how.
All versions of Android are designed so you cant change the permissions granted to
the apps youve installed without doing some degree of hacking. In Android 4.3
Jellybean, a hidden function was added called App Ops. That function allows users
to manually enable or disable app permissions. The only easy way to access App Ops
in Android 4.3 is to do one of the following. If you have a third party OS UI, otherwise
known as a Launcher, itll exist on your device as any another app. Trigger your
Launcher app to open an activity, and if you scroll all the way down the list of
available activities, youll nd App Ops. You can open the hidden function from
there. Then, you can navigate to each of your application permission settings, app by
app, and pick and choose which permissions to enable or disable. Keep in mind that
disabling some app permissions may make your apps unable to function properly.
The other way to open App Ops in Android 4.3 is to install a third party app which is
designed to launch the hidden function, such as AppOps Launcher, at
https://play.google.com/store/apps/details?id=com.pixelmonster.AppOps. AppOps
Launcher also works in Android KitKat, 4.4+.
The Electronic Frontier Foundation was very happy when App Ops appeared in 4.3,
even though its hidden. But even though third party permission control apps can
work in other versions of Android, App Ops was removed in KitKat 4.4.2. That
disappointed the EFF, and with good reason. Android device owners shouldnt have
app controls taken away from them, because that would violate their user rights.
The fact that Android users cannot turn off app permissions is a Stygian hole in the
Android security model, and a billion peoples data is being sucked through, said
the EFFs Peter Eckersley.
Nevertheless, as Ive mentioned previously, there are ways to get that control back.
You should, because even legitimate apps can spy on you or create other security
vulnerabilities.
Permission Manager is another app you can try, at

https://play.google.com/store/apps/details?id=com.appaholics.applauncher. Despite
what it says in Google Play, Ive found that it works in 4.4.2 KitKat, in addition to 4.3
INFOSEC Jellybean.
INSTITUTE It wont
INTENSEwork if you have
SCHOOL a version
CERTIFICATION of Android thats previous to 4.3.
TRACKER
Interestingly, Permission Manager doesnt ask for any permissions.
Heres what Permission Manager looks like.
So, if you install the free version of Permission Manager, as I did, you can see the top
ve apps on your device which have the greatest number of permissions. But if you
buy the paid Pro version, youll see a list of all of your apps and their permissions,
listed from the most permissions to the least.
So, heres what I see in my free version.
All of those apps are native Android components that mustnt be removed, except
perhaps for Google+. Ive decided to let those Google apps have all their default
permissions for two reasons. The rst is that Im pretty sure disabling any of their
permissions will really cripple the functioning of my device, particularly since all of
those apps, except for Google+, are vital OS components. The second is that, since I
have a Google Android device that uses Googles complete service ecosystem, if I
cant trust Google with a wide assortment of functions, I shouldnt own a Google
Android device in the rst place. Googles data mining is all a part of the game if you
choose to use any Google program or service, from Android to Gmail to Drive to
Maps to even Google Search. That applies to any Google services you use anywhere,
even outside of Android. That includes using Google Maps on your iPhone and using
Google Search in any web browser from Microsoft Windows, and so on and so forth.
Heres what you can see in Permission Manager if you launch the settings of a
particular app.
Yeah, disabling any Android System UI permissions would really mess up my phone,
perhaps even irreversibly.
Since Permission Manager only works in Android 4.3 and 4.4, youll need to install
another app if you want to manage app permissions in an older version of Android.
Or, even if you use 4.3+, you might want to have easy access to the permissions of all
of your apps, without having to pay for Permission Managers Pro version. A possible
option is SnoopWall, which can be installed for free from
https://play.google.com/store/apps/details?id=com.snoopwall.android.
One of the nice things about SnoopWall is that it works in all versions of Android
from 2.3.3 Gingerbread and up. Itll also allow you to manage the permissions of all of
your apps, free of charge. What Im not crazy about, but what you might enjoy and
benet from, is that the app is designed to do a lot more than just manage app
permissions. It runs an antivirus shield and rewall thats not supposed to conict
with any antivirus shield or rewall you already have. It checks for, and blocks
eavesdropping and spying. It stops your camera, GPS, WiFi, microphone and NFC
from being used without your authorization. It even has a special security mode
designed to be used if youre doing any online banking on your phone or tablet.
Unlike Permission Manager, SnoopWall asked for a number of different permissions

upon installation.
The following are screens youll see when launching SnoopWall (Antivirus Privacy
Firewall) for the rst time.
After launching SnoopWall for the rst time and it tells you You are not secure, you
can choose a security mode.
Phone Mode, Internet Mode, and Apps Mode disable a lot of functionality, which
can be very annoying. For instance, apps are blocked in Phone Mode, and Internet
access is blocked in Apps Mode. (What about most apps, which require network
connectivity?) Bank Mode is only useful if youre doing online banking, either via
your Web browser or a native online banking app. So, I chose Autopilot Mode.
When you choose a mode, youll see this screen.
Heres what SnoopWalls main control screen looks like.
Tap Control Apps (at the bottom) to manage the permissions of each and every
one of your apps. I happen to have about 250 apps in total.
Handy green icons in your app list will give you a quick overview about what kind of
permissions each app has. Tap on the blue circle next to the app name to customize
the permissions you give that particular app.
Ive decided to leave Chromes permissions alone, based on the if I cant trust
Google, Im screwed by having an Android device principle.
Her are the permission settings for another one of my apps, Barcode Scanner+.
Tapping on Block App doesnt necessarily block the app completely; instead it
gives you the option to selectively enable or disable its permissions.
As Barcode Scanner+ uses my phones camera to scan QR codes and UPC codes,
disabling the Camera permission would defeat the purpose of the app. Heres what I
chose to enable and disable.
I cannot see why Barcode Scanner+ should be able to activate or use WiFi, but it
obviously needs my camera, and its NFC (near eld communication) and mobile
data (3G or 4G) functions could be useful, so those are risks Im willing to take.
I went through each and every one of my apps via SnoopWall, and I set their
permissions to my liking, being mindful to not disable permissions that could impair
app functions Id like to have, or would prevent my device from working properly. As
I have over 250 apps, it was a long and tedious process, but well worth it.
One thing I dont like about SnoopWall is that running the app forces Bluetooth to
be turned on. Leaving Bluetooth on when youre not using Bluetooth peripherals
with your phone or tablet can be an unnecessary drain on your battery. Bluetooth
can also be used for a third party to obtain malicious access to your device, so for
security reasons, Bluetooth should only be turned on while youre using it.
So, after I set my app permissions with SnoopWall, I went into my system app
settings (in the OS, not in SnoopWall) and disabled SnoopWall from running. Then, I
was able to turn Bluetooth off again. Based on what I know about how Android apps
work, I assume the app permission changes I made via SnoopWall are still set.
There are other third party apps that you can install on your Android device to
manage your app permissions. You may give them a try, but keep in mind that I
havent yet installed and tried them on my phone.
Advanced Permission Manager (https://play.google.com/store/apps/details?

id=com.gmail.heagoo.pmaster) is supposed to work on Android Froyo 2.2 and every
later version of Android.
F-Secure App Permissions (https://play.google.com/store/apps/details?
SIQ id=com.fsecure.app.permissions.privacy)
PHISHING SIMULATOR is supposed to work on Android 2.3.3
Gingerbread and up.
Fix Permissions (https://play.google.com/store/apps/details?

id=com.stericson.permissionx) is supposed to work on versions of Android as old as
1.6 Donut. But regardless of the version of Android you install it in, your device must
be rooted.
Youll nd many other permission control apps in the Google Play store, as well. Be
conscientious about which app you choose, and how you operate it. Most
importantly, look at the user ratings of the app, and the user reviews. I wouldnt
install any app that has less than four stars.
I hope in the future that Googles Android development team decides to reverse the
decision they made for KitKat 4.4.2. I hope future versions of Android allow app
permission customization without being hidden (as in 4.3) and without requiring
root. They could always design the program so that users are warned to customize
permissions at their own risk.
Your Android device should be fully in your control, and you should be able to
customize functionality with security in mind, so that Android app developers cant
take control or security away from you.
References
How App Permissions Work & Why You Should Care
http://www.makeuseof.com/tag/app-permissions-work-care-android/
Android 101: What some of those scary application permissions mean
http://m.androidcentral.com/look-application-permissions
System Permissions | Android Developers
http://developer.android.com/guide/topics/security/permissions.html
App to manage Android app permissions
INFOSEC http://www.theregister.co.uk/2014/01/07/app_to_manage_android_app_permissions/
INSTITUTE INTENSE SCHOOL CERTIFICATION TRACKER
KitKat update removes app permission toggle
http://news.cnet.com/8301-1009_3-57615607-83/kitkat-update-removes-app-
permissions-toggle/
App Ops: Android 4.3s Hidden App Permission Manager, Control Permissions for
Individual Apps!
http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-
permission-manager-control-permissions-for-individual-apps/
Permission Manager | Google Play
https://play.google.com/store/apps/details?id=com.appaholics.applauncher
AppOps Launcher | Google Play
https://play.google.com/store/apps/details?id=com.pixelmonster.AppOps
SnoopWall Antivirus Privacy Firewall | Google Play
https://play.google.com/store/apps/details?id=com.snoopwall.android
Advanced Permission Manager | Google Play
https://play.google.com/store/apps/details?id=com.gmail.heagoo.pmaster
Fix Permissions | Google Play
https://play.google.com/store/apps/details?id=com.stericson.permissionx
SecurityIQ is the #1 Phishing

Simulator on the Market.
Try it today for FREE!
Prevent the top cause of security breaches by preparing your last line
of defense with SecurityIQ.

Yes, I Want a FREE Invite!
No Thanks
Tweet
14 21 146
7
Compartir Share Like
reddit
AUTHOR
Author
FREE TRAINING TOOLS
Phishing Simulator
Security Awareness
EDITORS CHOICE
Minotaur CTF Walkthrough

Extra miles
Targeting WSUS Server
Exploiting Protostar Stack 0-3
Hackerfest Quaoar CTF

Walkthrough
From APK to Golden Ticket:

Initial Reconaissance
Avatar Rootkit: Gaining Kernel

Code Execution
Top 7 Questions to Ask Your

Vendors about Their Security
Policies
How Security Awareness

Training Can Protect Small
Businesses
Advanced IronWASP
Machine Learning for Malware

Detection
IronWASP: An Introduction
RELATED BOOT CAMPS
Information Security
Security Awareness
DoD 8140
Ethical Hacking
Hacker Training Online
CCNA
PMP
Microsoft
Incident Response
Information Assurance
MORE POSTS BY AUTHOR
Flash Fades, Adobe

Crumbles
Your Best Hacker Defense

Revealed
Does Blackhat Accurately

Depict Cyberwarfare?
Minotaur CTF
Extra miles
Walkthrough
Exploiting
Targeting WSUS
Protostar Stack
Server
0-3
Commentsforthisthreadarenowclosed.
4Comments InfoSecInstituteResources Login
Recommend Share SortbyBest
Dna2yearsago
hi,
Interestingoldarticlebutjustwantedtoaddalittledetailherethatmighthelpforfuture
reference.
Itmaybegoogleandroidbutitreallydontneedtohavegoogleappstorunperfectlyfine.
Ihaverootedandcustomisedmydevicesandremovedeverythingrelatingtogoogle.
TheonlydownsidetothisisyouarenolongerabletoutilisethegoogleplaystorebutIfind
thatmostappsareavailbleviatheclearwebwithouthavingtoresorttousingapprepositories.
Bottomlineforprivcacyissimple,ifyoucandoataskviaawebpagethendontbotherwith
apps.
Casescenarios:facebook,banking,email,twitteretc...Allofthesethingscanbedonevia
webpagesandnoappsarerequiredwhichavoidstheneedsforprivacypermissions.
Also,agoodfirewallisamustasthiscanbeusedtoblockappsfromcommunicatingfullstop.
THeycancollectasmuchdataastheylikebecauseitwillneverbetransmitted=)
cheers.
Share
Charlie3yearsago
HiKim,
Thisisagreatarticle.Onenoteonyourdissectionofpermissionsrequestedbyyourfirst
exampleapp"ReadphonestatusandidentityisnecessaryforifIreceiveaphonecallwhile
playingthegame."thatisnotthecase.Thephoneappinthebackground(egAndroidDialer)
willhandleanyincomingcallswhileyouplaythegame,thegameappwillonlywantthissoit
canseeyourphoneidentidy(phonenumber,carriercode,etc)sothatitcanuniquelyidentify
you.ThisisusuallyutilizedonthefreegamesinordertobettertrackusersforAdvertising
profiles.
YoumightbeinterestedtocheckouttheXPrivacysystem.Itisnotasimpleappyoucan
installfromthePlayStorebutaModulefortheXPosedframework,whichisavailableformost
ofthestockAndroiddevices(allNexusmodelsandafewothers).Itishugelyflexibleinthe
permissionsyoucangrantordenytoappsactuallywaytooflexibleandoverwhelmingfor
mostusersinmyopinion,myselfincludedbutitisthecurrentstateoftheartasfaras
Androidpermissionsgoes.
Thanksforthearticle.
Share
DeborahTutnauer3yearsago
IcuttheApplecordtodayandboughtaMotoX.IwasshockedwhenIwenttodownloadmy
commonsocialmediaapps,attheinabilitytochoosepermissions.Withtheiphoneitwaseasy
toturnoffmostofthemindividuallyforeachapp..mybiggestconcernsarelocationand
accesstomycontacts,callsandtexts..Iendedupwiththeappoppprotectionapp,andfixed
thepermissionsinFBandG+andthelocationinmycamera..Butthenwithoutknowing
enough,Iupgradedthesoftwarefrom4.4,to4.4.2andtheappceasedtofunction.
Iwilltrythesnoopwallappasyousuggested.Ihave14daystodecidewhethertokeepthis
phoneorgobacktotheiphone..Ilikeitsofar,butI'mverycautiousaboutprivacyandI'm
reallyappalledthatthereissolittlecontrolintheandroidworld.
Share
danti3yearsago
ThankyouKim....
verynicearticle
Share
Subscribe
INFOSEC d AddDisqustoyoursiteAddDisqusAdd
INSTITUTE INTENSE SCHOOL Privacy
CERTIFICATION TRACKER
About InfoSec
SIQ PHISHING SIMULATOR Connect with us Join our newsletter
InfoSec Institute is the best Stay up to date with Get the latest news, updates &
source for high quality InfoSec Institute and offers straight to your inbox.
information security training. Intense School - at
We have been training info@infosecinstitute.com ENTER YOUR EMAILSUBSCRIBE
Information Security and IT

Like 1.1K
Professionals since 1998 with a
Follow@infosecedu
diverse lineup of relevant
training courses. In the past 16
years, over 50,000 individuals
have trusted InfoSec Institute
for their professional
development needs!
INFOSEC RESOURCES 2017

Android App Permissions and Security - What You Need To Know

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Android App Permissions and Security - What You Need To Know

Caricato da

Copyright:

Formati disponibili

4/4/2017 AndroidAppPermissionsandSecurity:WhatYouNeedtoKnow

TOPICS CONTRIBUTORS ARCHIVE CAREERS JOB BOARD

SIQ PHISHING SIMULATOR