Feeds

Whoah! How many Google Play apps want to read your texts?

Google's app permissions far too lax – security firm survey

Security for virtualized datacentres

A security firm has criticised Android's all-or-nothing permission approach, arguing it unnecessarily creates extra privacy risks for businesses and consumers.

Users are obliged to accept an entire laundry list of requested permissions before they can download an Android app. Disagreement on any point means that the software package can't be downloaded.

Android permissions cannot be denied or granted after installation. An Android application declares the required permissions in its AndroidManifest.xml configuration file.

Cloud security firm Zscaler argues that users who get use to this model are likely to put less scrutiny on permissions than instant app gratification.

Zscaler analysed more than 75,000 apps from the Google Play store in order to find out the permissions that are commonly requested by the apps at the time of installation.

It found that more than two in three (68 per cent) of apps that request SMS permissions ask for the ability to send SMS messages. This factor could be playing into the hands of malware writers, according to Zscaler. "With most Android malware currently targeting premium SMS fraud, this is concerning, especially as users tend to indiscriminately accept requested permissions without scrutinising whether or not they’re truly needed," it warns.

In addition, around one in four (28 per cent) of apps with SMS permissions also request read SMS access. "This is somewhat unsettling as an increasing number of apps/services send codes via SMS for mobile banking or two factor authentication," Zscaler notes.

SMS related permissions are far from the only sensitive control. Zscaler says that GPS, phone call, personal information, address book, and device information permissions are all potentially high risk. Zscalar's enterprise-focused tech provides granular control of user activity in web, email and mobile environments. So the security firm, which also markets anti-virus software, is talking up a risk its technology is designed to mitigate.

That said, Zscaler is far from alone in criticising the poor permission control natively offered with Android apps. Google has yet to respond to our request for comment on Zscaler's research. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.