Android’s permissions model provides no protection against covert spyware
“Our application permissions model protects against this type of threat. When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a user’s phone number or sending an SMS. Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time.” First SMS-sending Android Trojan reported
The above statement is only partially accurate and entirely misleading. Here’s why:
Let’s say someone offers an SMS application to receive, send and organize messages. It’s expected that the user will grant all necessary SMS permissions to the application. If the application has a hidden spyware component that transmits copies of all SMS message to an unknown third party, how is the user ever going to know that this is happening? The permissions model offers no protection, because the the spyware component is leveraging the permissions granted to the application.
How about if someone develops an application to access social media sites based on a phone’s contact list. The application is going to ask for permission to access the contact list and the Internet. The user is obviously going to grant the request. If a hidden spyware component transmits the contact list to a Website specified by the developer, how is the user going to know that this is happening? As with the SMS example, the permissions model offers no protection for this type of activity.
The only time the permissions model works, is if the user understands what permissions the application is requesting AND the request for permissions falls outside the purpose of the application, such as when a calculator or stop watch application requests permissions to access the contact list, SMS or the Internet. Keep in mind, however, that a clever programmer can obfuscate his hidden intent by convincing a user that a feature requires certain permissions, which in a weird way make sense, but are not necessary for the application to function. Is it possible for a programmer to social engineering acceptance of permissions? You bet!
What people also need to consider, is that the most devious of programmers could potentially implement their spyware component as a sleeper, so that it doesn’t activate for several days or weeks after installation. A sleeper could potentially avoid detection during the Android Market review process and by security researchers looking for signs of spyware activity in SMS and Internet traffic.
While Android gets an “A” for the operating system, process isolation and application specific data storage, it doesn’t get a passing grade from me when it comes to claims that Android’s permissions model provides spyware protection.