Android Application Safety
Android is a Linux based mobile "smartphone" operating system. Android(tm) was designed with security in mind, and almost all of the important functions of the system are protected by layers of defense. Applications installed on the system declare what features and functions it needs or wish to access via a Manifest - a declaration written by the developer of the app, that cannot be changed during the lifetime of the application package installed on the Android(tm) device. Newer versions of the app can modify the Manifest, but when updating the app, the system requests the user to allow the change. The Manifest contains important information about the app - but Permissions are the most important part by far.
Permissions are a declaration about what sensitive data and parts of the system are going to be accessed by the app being installed. Some examples of android permissions :
ACCESS_FINE_LOCATION - access Gps location.
CALL_PHONE - place calls.
CAMERA - access the camera.
SEND_SMS - send sms messages.
INTERNET - access the web.
the full list is avialable at : http://developer.android.com/reference/android/Manifest.permission.html
When installing an app the market or other installer asks the user to confirm the permissions the app requests.
Reading these carefully and understaing the implications of the permissions can help the user avoid many of the dangers of using a smartphone. for instance:
SEND_SMS permission can allow the app to send SMS from the phone to premium numbers, thus deducting money from the user.
MAKE_CALLS can allow the app to make phone calls and deducts money in the same way.
ACCESS_FINE_LOCATION + INTERNET can allow the app to track the user location, and sell the info to advertizing companies for targeted ads in the best case scenario and in the worst actively snoop on the user.
 |
| Oren barAd
Oren barAd, working at Droidsecurity for 1 year as a Developer and Researcher focusing on mobile security. part time hacker, and hardware/gadget enthusiast. |
READ_SMS, READ_CALL_LOG, READ_LOGS - these permissions can be used to access the user calls, sms and more. Combined with INTERNET they can be used to snoop on the user, or steal his data. the gsf.READ_GSERVICES is especially dangerous - as it is the basic permission the "angry birds bonus level" proof of concept used by the malware to install more apps silently in the background. Google has already fixed the problem, but the issue can still affect older phones - Never install an apps that requests this permission. A notable exception to this rule is the Appbrain app.
However - apps that needs the permissions for their work by reputable developers can be installed with no problem :
Chompsms need access to SEND_SMS to work, Facebook apps needs access to the internet, an alternative dialer program can be allowed to dial the phone. When an app that looks like a game, or a video player asks for SEND_SMS then you should not install it and notify someone about it - Us at DroidSecurity.com or google, or the market comments.
Remember that the moblie phone is the closest thing to you after your family, it goes with you everywhere and it contains most of your personal, private and revealing information! always check the permissions before installing a new app or a game.
Have fun with your Android phones!
