tags:

views:

113

answers:

2
+5  Q: 

Implications of package permissions (All andorid developers invited to contribute)

Hi,

I was working on understanding what the implications of granting a package a particular permission are. To my utter disbelief I could not find any material which would answer the questions satisfactorily.

1.) What permissions are reserved to be used by whom?

2.) What level of effect does granting a permission to an application have, in security aspects.

3.) What kind of permission does a user need to beware of and understand completely what the repercussion might be (at install time.)

4.) How to identify when an application is misusing a permission granted to it?

I hope with a series of example programs and bits and pieces of documentation we can organize a clear working model for permission on android. I hope people would paste code for relevant examples in an attempt to understand this and help us develop better applications as well as develop user understanding on how secure they are.

thanks Shouvik

EDITED:What I eventually intend to achieve out of this discussion is that when I cluster a group of permissions, I should be able to get a concise picture of what my application will be capable of doing to my data. I then should be able to weigh those risks with the application installed and determine if its worth the risk. Please note, I am not here to suggest that all apps request perms for malicious use! I am here for that 0.1% of apps which might do it with that intent! =)

Don't take my word for it. Here is a link I came across in the discussion group which puts my idea into a clear perspective. http://groups.google.com/group/android-developers/browse_thread/thread/88b69b590c4d1482/d4bfb0e544d8a3a9?lnk=gst&q=permissions#d4bfb0e544d8a3a9

+3  A: 

1) There is a list of permissions (List) a developer can request for his application. Also look at: Security and Permissions

2) If a user installs the application and allows the permissions the application asks for, the application is allowed to do access certain parts of the android system. (for instance, if a application asks the READ_CONTACTS-permission and you grant it, the application can read the contacts from your phonebook, ...)

3) It depends on you feeling concerning security and the trustworthiness of the application you install. If you don't trust the developer of an application, you shouldn't install it. If an application asks for rights you don't think it really needs, don't install it. (If a simple "ToDo List" app asks permission to make outgoing calls ...)

Which one you should be aware of is a BIG topic - the link under 1) describes the permissions and what an application can do with it - should be a start ...

4) If you grant a permission the application can use it and you can't control in which way it's used. (if you grant GPS, you can't know whether it's updating the status only if you want to or if it's updating every second ...

I don't have enough time at the moment, but maybe I write a little article about this topic on the weekend.

qedejavu  2010-08-05 11:43:33
My very first question is actually not answer by the documentation. I have read it quite throughly now, and a couple of time. I have looked at the security aspects, but that is not whats of concern to me. What i intend to find out is what combinations of permissions is enough to lead a user to unwittingly let an application steal data. Its not completely un-necessary for an application to request those list of permissions but then if it does, it should have a good reason to!Mostly I am bothered with the lack of indepth explanation of each one of the permissions.
Shouvik  2010-08-05 12:25:19
Shouvik... Android treats everyone as adults... both developers and users. It is the responsibility of the user to install applications from trusted sources only... it is the responsibility of the developer (who agreed to this in the terms of service) to not produce malware.
androidworkz  2010-08-05 12:48:02
@androidworkz I agree completely. Please don't take it personally, but how about having it all well documented. Its the whole point of an open source program right? And I again would like to insist this is solely for the purpose of increasing awareness. Its not targeted at anyone, and a handy tool that could be used by everyone!
Shouvik  2010-08-05 12:53:29
+2  A: 

Here is a link I found something that offers a little more than the documentation. Its not much but its a start. Please feel free to pour in your inputs too!

Edit1: So I carried out this little experiment to find out which permissions are not accessible to me as a third party developer. (Pretty dumb of me not to try this earlier, but here is the list FWIW.)

Shouvik  2010-08-06 09:30:47

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security