Quick Links

Google just made a huge change to the way app permissions work on Android. Apps already on your device can now gain dangerous permissions with automatic updates. Future apps can gain dangerous permissions without asking you, too.

This is all thanks to the latest Play Store update and its simplified app permission interface. The core idea here -- making Android app permissions comprehensible to normal users -- is good. The implementation is the big problem.

Apps Can Now Add Permissions Without Asking You

Google Play now groups app permissions into groups of related permissions. For example, an app that wants to read your incoming SMS messages will require the "Read SMS messages" permission. When you install it via the Play Store, you'll see it asking for the "SMS" permission group.

Install the app and you're giving it access to all SMS-related permissions. The app can now automatically update and gain the ability to send SMS messages without asking you.

Do you have apps on your device that you trust to read SMS messages, but not send them? Those apps can now gain the ability to send SMS messages without prompting you -- all the developer has to do is update the app.

The only way to prevent this from happening is to disable automatic updates and verify app permissions manually every time an app wants to update -- as if that's a reasonable solution! If you do this, you'll also end up using outdated versions of apps, which is another security problem.

android-simplified-app-permission-groups-in-google-play

Permission Groups Contain Both Safe and Dangerous Permissions

The big problem is that groups can contain both normal, basic permissions as well as more dangerous permissions. For example:

  • Location: An app that asks for your approximate, network-based location can now gain permission to track your exact location with your device's GPS.
  • SMS: An app that only needs to receive text messages can now gain the permission to send SMS messages in the background, potentially costing you money.
  • Phone: An app that asks to read your call log can now gain permission to reroute outgoing calls and make phone calls without asking you.
  • Photos/Media/Files: An app that needs to read the contents of your USB storage or SD card can now format your entire external storage device.
  • Camera/Microphone: An app that has permission to take pictures and videos (for example, a camera app) can now gain the permission to record audio. The app could listen to you when you use other apps or when your device's screen is off.

You'll be asked to confirm when an app requires a new group of permissions. If you've already granted access to a single permission from a group, all bets are off and the app can get all permissions in that group.

Huge amounts of Android apps already ask for more permissions than they need, and now those apps have been granted even more permissions they don't need!

android-app-permissions-groups

Every App Gets Internet Access

Google has also given each app Internet access, effectively removing the Internet access permission. Oh, sure, Android developers still have to declare they want Internet access when putting together the app. But users can no longer see the Internet access permission when installing an app and current apps that don't have Internet access can now gain Internet access with an automatic update without prompting you.

Sure, most apps need Internet access these days, but not all of them. You may want to use a live wallpaper, flashlight, or keyboard app without giving it Internet access. In fact, one of the security features for third-party keyboards in Apple's iOS 8 is that those keyboards can't access the Internet unless you specifically allow them to. All keyboards on Android can now access the Internet.

Android App Permissions Were Broken, Anyway

Android's app permission system was already broken. It's less of a permission system and more of a demand system. An app demands that it requires certain features, and you can take it or leave it. You can't choose whether you want to give an app some permissions but not others. Android actually had a built-in permission manager that was being worked on, but Google removed it. Now only people who root their devices and use the Xposed Framework to regain the App Ops feature or install custom ROMs like CyanogenMod can manage app permissions. Typical Android users are left powerless.

Much of Android's app permission system has just been made meaningless. Why even bother having a fine-grained permission system where developers have to request access to the Internet and to individual permissions like "read SMS messages"? Google just might as well redo Android app permissions entirely and make apps request access to groups of permissions instead. At least they wouldn't be giving us a false sense of security!

android-app-ops-removed

Related: How to Restore Access to App Ops in Android 4.4.2+

And all the while, Apple's iOS has a functional permission system that gives users control.

No, this isn't an assault on Android from an Apple fanboy. I love Android and use a Nexus 4 as a smartphone, but I believe in giving users power. Android users should be able to choose which apps can send SMS messages or whether camera apps can record audio. Now, not only can we not control permissions without rooting or installing a custom ROM, the new permission system gives us even less power.

Thanks to iamtubeman on Reddit for exploring this important issue and testing it. Google's explanation of Android's new simplified app permissions can be found here.