[GRLUG] Android scare tactics article

Mike Williams knightperson at zuzax.com
Mon Nov 28 00:24:06 EST 2011


Yeah, the "request permissions on install" model is a good idea, just 
poorly implemented.

Surprisingly, another environment with a similar problem is Windows. One 
of the reasons Windows is so hard to secure is that so many programs 
will not run in a non-administrator account, tempting people to run as 
administrators. Vista tried to fix that with the first version of UAC, 
but the prompts popped up so often people disabled it. It's not that UAC 
was too sensitive; all the things programs were doing should have 
required user confirmation. I think Microsoft was hoping to pressure 
developers into better coding practices, but they relented and softened 
UAC for Windows 7. Quite a bit of malware can now install itself without 
triggering the "quieter" UAC settings.

On 11/28/2011 12:15 AM, Michael Mol wrote:
> The problem is that the permissions model is too coarse. "Read/write
> to the SD card" is necessary if you want the app to use more storage
> than your phone has built-in. "Unlimited network access" appears to
> mean "be able to open IP sockets". "Read phone state and identity" is
> necessary for more than it ought to be, too.
>
> The only app on my Android devices which doesn't require any special
> privileges? Frozen Bobble.
>
> On Sun, Nov 27, 2011 at 11:58 PM, Mike Williams<knightperson at zuzax.com>  wrote:
>> The thing they don't mention, which I think is significant, is that most
>> legitimate apps "require" a lot more permissions than they really need. It
>> wouldn't surprise me if the only app I have on my phone that didn't insist
>> on both "unlimited Internet access" and "read/write SD card" is the one that
>> lets me use the camera flash LED as a flashlight! Users are used to allowing
>> a long list of permissions whenever they install much of anything, so that's
>> not much protection. Google Market's track record of avoiding malware might
>> be pretty good, but I don't like relying on it as the only line of defense
>> available.
>>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the grlug mailing list