2

I have been using a Windows PC for many years now. Since Android has come to market, I have been very wary of installing apps that require unrelated permissions. Obvoiusly, these extra permissions could be used for malignant purposes, or they could just be used for troubleshooting... always hard to tell. However, I have never worried about this on Windows, which does not have an app store that lists permissions. Obviously, I am careful to scan all file types with a quality anti-virus before running, but I'm not sure the threats to the PC (in terms of trusting the software developer) are any different than the privacy threats of mobile developers. Most of the time I regard commercial software that I purchase or run for free as being developed by a company (although there are many lone developers out there as well). The creation of the app store has provided a means for me to see many strange names in the developer section, and I'm not sure who to trust. Yes, an app may have many thousands of good reviews, but who has reverse engineered these apps, reviewed their source code, or monitored them while they sit and run to see what they do when you go to sleep? Again, with the PC, I never worried about it "going through my contacts" (there were none), "accessing my camera" (there wasn't one), "accessing phone call records" (there were none), etc. So this part is a little different from PC to mobile in many cases. (Yes, I know many PCs have webcams, contacts, etc.) However, a malicious developer could have free reign of my PC if his code passed the AV.

I'm not sure if it is the permissions list provided by the App Store that is so disconcerting, and that I am just not use to it...

{END WALL OF TEXT}

...But my question is in light of all that was stated previously (disconcerting and free-ranging mobile app permissions), has anything really changed in terms of the reality of privacy and permissions as people move from PC to Mobile? Should we just click "install the app" because that is what we were doing anyways on the PC?

{BEGIN WALL OF TEXT}

Bonus Points: I know that there are researchers out there who look for malicious apps, but there selections seem to be random and the information is scattered across multiple research labs. Is there a database or source for security reviews on specific apps (other than the permisions listed in the App Store)?

*Please no comments such as "Quit whining" or "How can you expect to have so many apps available to you without also having so many developers with strange names?" or "You want your cake and to eat it too?"... I am trying to figure out how to live in this new world.

user58446
  • 553
  • 6
  • 14
  • 1
    A wall of text. Please put emphasis on your actual question. – Deer Hunter Dec 07 '14 at 08:52
  • Are you asking how you should decide whether or not to trust an app vendor? And if that has changed significantly since the desktop era? I'm afraid there's hardly a good objective generic answer to either question. It might help a bit if you could tell what threat model you're considering and what level of expertise and effort is available to make those decisions. – Steve Dodier-Lazaro Aug 06 '15 at 10:38
  • Possible duplicate of [Are smartphones at least as safe as "regular" computers for personal data?](http://security.stackexchange.com/questions/32507/are-smartphones-at-least-as-safe-as-regular-computers-for-personal-data) – WhiteWinterWolf Nov 04 '15 at 12:37

4 Answers4

1

I doubt there is an objective, provable answer. However, to your emphasized question

...has anything really changed in terms of the reality of privacy and permissions as people move from PC to Mobile?

the answer I propose is:

Yes! tl;dr - App store approval process should verify that an app does what it says and nothing more. Market forces mean data is sought after at alarming and intrusive rates, while the opportunity cost of not accepting permissions requests/EULA is the complete loss of access to that app's functionality (given that most competing apps ask for the same wide-ranging access).

You are not asking about malicious software per se nor are you asking about a general context of security concerns. You are asking about the general level of trust and privacy concerns from widely available "apps" and are relating those to previous incarnations of installed software on desktop PCs.

The paradigm of computing and business has changed since the days of PCs which were often disconnected from the internet. Additionally, the advent of "big data", machine learning, data mining etc. has changed the developers' and business owners' interest in data collection.

There is a significant value to collecting wide-ranging data from any and all devices either for personal consumption (e.g. internal business process improvement) and also for external sale. The justification for "free" apps is still similar to the age-old free install that changes your search engine and installs add-ons to your browser. The value from that modification was small and likely posed little privacy concerns for the user though. It certainly was a world away from dual camera, microphone, and contacts list access.

There are essentially two options for mobile - Google and Apple, and each has an app store that is (mostly or totally, respectively) the exclusive option for software. They expose numerous advertising APIs and the general climate, as you noticed, is toward requesting free-ranging permissions. Similar to the unavoidable and non-negotiable EULA there is no choice left but to accept or completely forgo the service. There are no viable alternative paradigms and if they are, they are marginalized in part because social media platforms and integration with these platforms is a major driver of revenue and relevance. Just look at the Playboy empire which succumbed to the content rules of social media and essentially abandoned their most significant market differentiation.

I suppose, perhaps, since the permissions are clearly stated and should be enforced via App store approval processes that it could be argued we are "safer" than the relatively unknown operations of applications, which, as stated in comments, essentially had free-reign once installed.

Dave
  • 442
  • 1
  • 3
  • 13
1

No.

You should not click install the app. The process I go by is quite simple:

  1. What is the app doing?
  2. What are the permissions?
  3. Is that permission really needed?

Now let's look at a simple example:

  • What is the app doing? Eg: Simple text editor.(Read/Write stuff from/to files)
  • What are the permissions?

Case 1:
Permissions: Read/Write files. Access microphone. I am tempted to accept this one. Although this one asks for microphone it might use it for text/to speech. If it does this it should mention it in the description. Even if it does that, it could still be spying on you. But none the less, the app might be innocent.

Case 2: Permissions: Read/Write files. Access microphone. Access contacts. Access network connection. This one would make me have second thoughts. As said before, the app should be a simple text editor. There's no need for a simple text editor to use contact and connect to the internet.

Bonus:
If you want to go really hardcore, what you should do is reverse engineer the application. Look at how those permissions are being used within the app. Where is my app connection to the internet. What is happening with that connection. where is the microphone invoked and where is the recorded sound going.

KyleMit
  • 119
  • 7
sir_k
  • 719
  • 6
  • 14
  • Yes, I understand all of this. If I didn't, I would be clicking "install app" and not asking this question. My problem is that I have not once come across a mobile app that did what I wanted and did not have permissions that reached outside (usually far outside) of its intended functionality. **NOT ONE APP** with sensibly limited permissions. As a result of my searches, I have come to the conclusion that this is a necessary evil of the game. Most cases are probably, I like to believe, a result of devs not removing debug code. Perhaps I need to design all my apps for myself... – user58446 Dec 08 '14 at 12:47
  • ...I was also careful about sources of PC software and scanning executables, however, PC software generally gets free reign once passing UAC. – user58446 Dec 08 '14 at 12:47
  • Just make a decision based on which of the other permissions have any sense behind them(some never do). As a solution you could try to restrict app permissions: http://www.howtogeek.com/115888/how-to-restrict-android-app-permissions/ – sir_k Dec 08 '14 at 13:16
  • Yes, permission denial was something I considered, but thought that it would be a seperate question. Example: In choosing an upgraded calculator app, I had to decide between access to internal/external storage and full network access. These were the best two apps (in terms of limited permissions) I could find. To your link: I was hoping to not have to root the phone, and for others this may not be an option. – user58446 Dec 08 '14 at 13:21
  • Have a look at this one:https://play.google.com/store/apps/details?id=com.ovmobile.appopslauncher It seems to be a shortcut to this: http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/ – sir_k Dec 08 '14 at 13:27
  • Also, my friend goes to school and as they (the schools) continue to try and push e-everything, they have to download and run both software and mobile apps provided by developers who the school chooses, not them. Sure, it's assumed the school investigates these manufacturers, but perhaps not as well as you would and what process do they use to investigate? Word of mouth? Is their final decision based on the cheapest provider? Probably. Futhermore, there are no alternatives for the students, and they cannot do all of the work in the class without downloading this software. – user58446 Dec 08 '14 at 13:29
0

No you should never click "install the app" if you don't know/trust the developer neither on mobile nor PC.

If you used to install everything on PC that's your problem, but you shouldn't do that because anything you install has full access to your data (worse, many installers require administrative privileges which means they get full access to your system, and may install whatever nasty rootkit they wish).

While reputed developers won't do too much damage (otherwise they risk legal trouble) they can still do bad stuff legally by stating what they do in a privacy policy nobody reads, and actually most adware/toolbars are legal because they have such privacy policies in place which you accept when you install it.

The full data access directive also applies for mobile, the only difference is that the app should clearly state what it will access in its manifest and that's what you see when prompted if you want to install it. The administrator access is a bit tricky to pull off since it isn't available by default on mobile platforms unless you root your Android phone or jailbreak your iOS device, in which case apps can also request superuser (root) access; on iOS it's already available by default for all software installed from Cydia (the app store equivalent for jailbreak apps/tweaks).

Moreover, on mobile you have a magic app called "browser" that can access many online services without putting your data at risk, I suggest you use it as much as possible rather than installing apps (having their app on your phone must be a hard-earned privilege for developers, not a right).

  • If I had time to reverse engineer all of the software I run, I would never get to use it. I am as careful as can be on a PC in terms of reading reviews, downloading from trusted sources and scanning for malware. However, these are functional reviews, not reverse engineering security reviews. Even professional reviewers only go over functionality. The point is, that mobile development has introduced quite a few new variables into mix, and I am wondering if anything has really changed from using a PC. I guess not. – user58446 Dec 08 '14 at 12:53
0

You should not install anything that you (YOURSELF) did not try to install. No exceptions, unless if you look it up and find it is needed or useful and comes from a reliable source.

For example you need to install winPCap to install Wireshark. When you are asked to install winPCap you go and type winPCap in a search engine to determine if Wireshark is dependent on winPCap for functionality.

In some applications the recommended additional software is not a dependency and you can skip the install.

For the record, these steps should be followed on all devices in which software or apps can be installed.

chrstphrmllr
  • 1
  • 2