Permissions Bug Allowing Unauthorized Access to SD Card Storage and Phone State?
In the wake of talk of trojan Android applications and apps with permissions that could only mean malicious intent, a rather precarious situation has arisen. In what developer Brenton Klik is calling a permissions bug, apps that are designed to install on both the phone’s internal storage and onto the SD card may be authorizing additional permissions beyond what the user agrees to upon installation. The problem came to Klik’s attention when he received the following comment on his flashlight application:
“This download page only indicates that the app uses System Tools, but the Applications menu says it requires access to make phone calls. Uninstalled.”
Now, what the user is referring to is the applications request for permission to prevent the phone from sleeping. This is the only permission shown when installed from the Android Market, however when the user navigated over to the Application’s info page after installation two additional permissions were spotted, permissions that were not expressly granted.
The first was permission to modify/delete contents of the SD card. Klik is correct in assuming this permission exists to allow users to move the app between phone storage and the SD card, but the fact that the wording of the permission is so broad leaves room for concern. The second unauthorized permission allows the app to “read phone state and identify,” which is slightly less disconcerting.
The fact remains that even if these permissions are granted without malicious intent and/or have no ability to really muck things up on your phone, they are permissions that the user is not asked to grant when installing the app, and in a world of security concerns and with the amount of personal data we carry on our phones the ease with which unknown permissions are granted doesn’t leave you feeling easy.
Then comes the ominous question posited by Mr. Klik: “If I’m gaining storage permission in this way, could I write an application that secretly or maliciously augments SD card data without the users [sic] knowledge?”
[via Flash the Brain]