Article Options

Asking way too much - Over-reaching permissions requirements in mobile apps

Wh1t3Rabbit| August 24, 2012
1 Comments

My Android phone, running Ice Cream Sandwich 4.0.3 warns me every time an application I've already installed wants different (likely more) permissions on my device.  Usually, this is followed by an inquisitive look, a deep sign, and a grumble about yet another application developer who's either ignorantly or purposefully over-stepping their bounds on my device.  What happens next is both deplorable, and predictable.

 

After a brief moment of outrage that my social media app now requests the ability to read the contents of my address book... I resign myself and click "I accept".  Before you condemn me for it, ask yourself how many times you've done that exact thing.  You've gotten outraged that an app requires access to some part of your device you're not comfortable giving ... then without really seeing another way forward you resign yourself, and accept and grumble.  Happens all day, every day ... hey at least we're paying attention enough to see the new permissions being asked for.  Most mobile device users would just click "I accept" without bothering to read the permissions change because they have no idea what it means ... now that is the really scary part.

 

Actually ...come to think of it, at least Android tells you what permissions that super-critical business app (Angry Birds?) is going to be empowered with, my Apple iOS 4.x device doesn't even bother offering those details.

 

Just as a side note, have you ever read Android's permissions model manifest entry? Wow... just wow.

 

Earlier, before I wrote up this post, my pal Tomasz Miklas who's a security consultant out of the UK poted this on Twitter:

 

Miklas Twitter post re Apple loose permissions.PNG

 

From his Mac computer, an application called Xcode was asking to access his contacts.  By the way, from the Apple description page, this is what Xcode is described as:

 

"The Xcode developer tools package provides everything you need to create great applications for Mac, iPhone, and iPad."

 

Yup, seems perfectly legitimate for that applciation to be asking to access your contacts list ... wait, what?!

 

Queue the moral outrage!

 

Before everyone gets too crazed over this behavior by developers, let's remind ourselves why this happens, or rather, why it continues.  I am 101% confident that I'm not alone when I say there are 3 reasons that developers are pulling these types of stunts - one of them is us.  Allow me to explain.

 

  • Developers simply don't know better - This has got to be the primary reason this sort of madness happens.  This is also consequently the most benign reason, so I'll put this in the number 1 spot.  Presented with the endless array of options to make their application just work right and not having the ability, or time, or debugging skills to understand how to do it right, the developer simply overshoots the required permissions.  I dare you to tell me you've never seen this before anywhere else... think back to firewall troubleshooting when something critical was on the line.  When an application didn't work "through the firewall" we went port by port for a while but then eventually gave up and opened every port, right?  This behavior and outcome hasn't changed...and it likely won't in the near future.
  • Users don't care - Actually, maybe more accurately, user's don't know they should care, so they don't.  If users simply made a stand against applications which demand more permissions than logic dictates, and did not install those applications sloppy developers (or malicious ones?) wouldn't make the sales and may get the message.  If an app that had good security and proper permissions sold better than one that was lax and loose with its security/permissions needs the developer may get the obvious hit... you think?
  • Malicious intent - let's assume this isn't one we can do anything about ...at least not by refusing to install it :)

 

So again, why do developers keep overstepping their boundaries and asking for way, way too much permissions on your mobile devices?  Because they can...and you're not going to do a **bleep** thing about it except complain on Twitter like Tomasz and I.

Labels: Mobile Apps| software security assurance
Labels:
Comments
Mark D Adams(anon) | ‎08-24-2012 09:38 AM
Options

The google app update mechanism is neat in that it puts apps that add new permissions into the manual update section. I have the same moment of outrage, but then because I "need" the app and it's new features, there doesn't seem to be an alternative.

 

What would be nice is if we could still install or update the app without actually giving it all of the permissions that it requests, and just suffer some limited functionality.

 

Like you said, it's pointless to make a stand and refuse to install, because no one will notice the lone person in the crowd of sheeple. Especially since your refusal to install will just be seen by the developer as one of those difficult to support users that simply never updates.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Twitter Stream
Follow Us
Community Announcements
50 Must Read IT Blogs