Solving The Android Permissions And Malware Puzzle

There has been a spate of security reports recently about Android apps being malware or suspicious. Most of these were found baseless but at least one was indeed correct (e.g. The Russian Trojan app). We also know that Android has a very good security model but even then, the rest of the reports also makes one think and focus on why an apps requires the permissions that it states it needs?

We all MUST check the permissions that an app requires before installing it and then contemplate what particular feature of the app would require any mentioned permission. The problem here is two part. First is that the permissions can be cryptic. Now, I can understand most of these as I also develop Android apps but I’d fathom that a huge majority wouldn’t. A simple solution to this would be for Google to provide more details (and probably examples) for each permission. One can say that it is difficult and a UI nightmare to include too much of text into the limited space that the mobile screen gets. My suggestion here would be to keep the existing layout as it is, but when someone clicks on a requested permission, he be taken to a new page which describes the permission in detailed but simple words and also provides examples.

But this is just the first part of the current problem. The more important issue most apps are facing these days is “permission creep in”, i.e., they request for permissions they don’t really require. This could be because either they are just adding it to their manifest file mistakenly without using them or are taking a long route for solving a problem that should ideally have been solved in a much easier way without requiring excessive permissions. This permission creep in makes even legit apps look bad. e.g. There was this recent case of a wallpaper app which was crucified by mainstream media all over the world because of the permissions it was using and then it turned out to be just that the developer’s method to solve a particular problem (providing “favorites” and “recommended” features to users) was long-winded.This is quite common today in Android marketplace. e.g. I tried to install the hugely famous “Chomp SMS” app today and noticed that it requires my “location” as well. Pretty weird that an SMS app needs my location and when combined with the “Internet” permission that it requires as well, it made me go “hmmm” even though it is tried and tested by a huge number of people without issues. Then I realized that it might need the internet permission for ads (since I was downloading the free version) but still a bit doubtful about location, probably that is needed for ads targeting (especially because it wanted my coarse location only, i.e., cell-triangulation location by which it can easily identify my general region or country, which is all what is needed) but I’m still not sure. Even the Android Guru Mark Murphy has similar reservations about another popular app Evernote.

The solution? I think Google should make it mandatory for app publishers to explain in the market that why their app needs each of the permissions it requests. This should be¬†concisely explained to the user before installation and then the user-review feature of Android marketplace can take over to determine whether the explanation given is indeed satisfactory enough or not. This would, e.g., make it immediately clear to any potential Chomp SMS users why it needs the location. I’m sure this would lead to even more sales for the good and trusted apps as people like me who were skeptical of something can put their doubts to rest. At the same time, it would quickly push the russian trojan like apps down into the oblivion.

A side effect/benefit of this approach will also be that the app authors would look at the permissions that they use more cautiously and would probably try to weed out the unnecessary ones.

Another idea that I have in mind is more community based. I’m not sure if Google will implement the above idea or even if they do, would they make it mandatory since market already has almost a 100,000 apps without this info. BUT, if someone can take up the mantle of making a community site that documents, with the help of android users, the potential uses of all apps’ permissions and also raise flags on any app having a permission without any apparent need, this would become a boon to the Android users. AppBrain, are you listening? I think this would be a good addition to your already excellent service.

What are your ideas about solving the apps and permissions problems and removing the malware scare that looms upon us? Let me know in the comments..

See also