Skip to main content

Study: Be Mindful of Your Android App Permissions

A new report claims that as much as a fifth of all Android applications allow a third-party application access to sensitive or private information. CNet reports that a recent report from security firm SMobile Systems says five percent of 48,000 downloadable apps in the Android marketplace can place calls to any number without the user doing anything and 3 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges.

SMobile Systems' report says 5,783 applications in the Market request three or more notable permissions with notable permissions being ones that grant access to personal identifying information, location or service that could be used maliciously. Twenty-nine applications were found to request the exact same permissions as known spyware (and have been categorized and detected as such by SM), eight applications explicitly request a specific permission that would allow the device to brick itself, or render it absolutely unusable. 

"Just because it's coming from a known location like the Android market or the Apple App store doesn't mean you can assume that the app isn't malicious or that there is a proper vetting process," Dan Hoffman, Chief Technology Officer at SMobile Systems, is quoted as saying.

Spyware is becoming more of a problem as the smartphone market continues to grow at a rapid rate. With these kinds of devices becoming more affordable and all kinds of people developing applications, it's hardly surprising that some people are developing apps to harvest information on the sly.

Check out the report for yourself here (pdf warning).

[Updated at 09:15 PT to better reflect the SMobile report and to include comments from Google] Google's Jay Nancarrow has refuted the claims made by SMobile Systems, highlighting the fact that Android users must give an app permission to access any and all information. Nancarrow also states that all devs must go through billing background checks to confirm their identities and any apps deemed to be malicious are removed.

"This report does not signal any security issues in Android. It falsely suggests that Android users don’t have control over which apps access their data. Not only must each Android app gets users’ permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious."

SMobile Systems concedes the vast majority of apps developed for Android are safe, but goes on to warn that users have no way of knowing if an app is only doing what it's supposed to.

It seems the biggest problem SMobile Systems has is that a lot of people just click 'accept' when Android notifies them of the access certain applications require.

"The fact remains that there is no means available for a user to know for sure that the app the user just downloaded is doing only what the user sees it doing. One must look at the permissions requested to determine what the applications true capabilities might be."