I want a "Red Teaming"
Michael Schneider
Development of smart phones continues at an incredible speed. Be it the operating system on the device or the myriad of apps that are available for the devices. A central element right from the get-go when developing applications was security. A year ago, I analysed the permissions of the Top-500 Android Apps in the Google Play Store. A year later, it’s time to repeat this analysis.
Compared to 2013, quite a number of things have changed over at the _Google Play Store_. Among these changes is the presentation of the permissions to users. Last year, a shortened list was visible to users and after that, should the user actually spot that link, the other permissions needed for the application could be looked at. While there were 11 different permission-groups last year, this year, there’s 27 of them. The permission group Mailbox was only used in free applications.
Said 27 permission groups are as follows.
Another thing that’s changed was the number of the standard permission groups listed in the API Reference (API Level 19). As of March 2014, there are 31 groups. In 2013, there were only 30. Google has added a permission group for accessibility access.
The number of permissions that can be used by applications has also risen. In addition to the 130 documented permissions in 2013, there are 15 new ones as of March 2014. In addition to that, developers can still add permissions at their own discretion. This means that there are much more than 145 permissions in total.
Google Play Store has more than one set of charts. In this analysis, I’ve had a look at the Top-500 paid applications as well was the Top-500 free applications. These lists and the corresponding data were extracted from the Store on Monday, March 3rd 2014, and analysed in the following days.
The graph titled All permissions used in free apps shows every permission group found in the Top-500 free applications. Compared to 2013, 15 new permission groups were added. The five most-used permissions are:
The following graph, titled Number of permissions per permission group, free apps, shows the various permissions per group. Leading there is System Tools with 24, followed by Your Accounts with 15 and Your Messages with 10 different permissions.
Eleven of these permissions were found in over 100 applications. The biggest spread was found in two permissions from the group Network Communications. These are Full Network Access and View Network Connections. The third spot is held by the permission of accessing USB Memory, titled Modify or Delete the Contents of your USB Storage. Of the other applications, there ones concerning Network Communications as well as Find Accounts on the Device are remarkable in terms of security. Especially the latter: It allows the application to look at all your stored personal accounts that you’ve set up under Settings/General/Accounts in Android Version KitKat.
Next, I had a look at the number of permissions requested, mapped to the number of applications. On average, there are 11 permissions requested per application. Compared to 2013, I noticed a big difference regarding applications that request a lot of permissions. Record-holder this year is an application that uses 50 permissions. This is an AntiVirus solution called AntiVirus Security – FREE) published by AVG Mobile. It also becomes apparent that there are only few applications that use a great number of permissions. This becomes evident in the graph below.
Just like we can see in the free applications, the Top-500 paid applications have 26 different permission sets. The five most-used ones are:
These charts mirror the top three from the top permissions in free apps. Leading is Network Communications, followed by System Tools and Affects Battery.
Analysing the permissions that are used in more than 100 applications, it becomes obvious that the paid apps once more mirror the free ones. There are 11 permissions that are used in more than 100 applications. Leading the field is also Full Network Access. Modify or Delete the Contents of Your USB-Storage holds the #2 spot on this list, where it is on #3 when looking at the free applications. Finishing off the top three is Test Access to Protected Storage.
Mapping the number of permissions to the applications that use them, a similar pattern to the one from last year emerges. Topping off the list is AVG Mobile with the paid version of their AntiVirus solution – Mobile AntiVirus Security PRO.
Of general interest are applications that manage to function without requesting any permissions. When looking at the paid applications, it becomes apparent that these applications are often licensing keys that unlock the full potential of a free app. In the past year, I was able to identify quite a number of licensing keys or applications that handle donations, where the buyer submits a certain amount of money to the developers on purchase. However, this year a new category was added: Add-Ons.
There were 34 applications that don’t request any permissions. About a dozen of those had independent functionality. The majority, however, can be sorted into the following categories:
Most applications that don’t request any permission are licensing keys and activate the full version or previously installed applications.
The following table contains further permissions that are of note. However, they’re not notable because of their frequency but because of what they can do.
Permission | Description | Scenario | Frequency in paid apps | Frequency in free apps |
---|---|---|---|---|
Read Phone Status and Identity | Access phone number and device-ID (IMEI), the phone number of the call recipient and the calling state of the phone | Information gathering: Distinctive Identity and usage statistics as well as identity of call recipients | 175 | 270 |
Call Numbers Directly | Dial phone numbers without using the Android-Dialler and potentially without the knowledge of the user | Create additional costs, surveillance of phone calls | 23 | 29 |
Download Files without Notification | Downloading files using the download manager | Content, this includes malware, gets downloaded after the app’s installation | 1 | 4 |
Change System Settings | An app can adjust the system’s main settings according to its wishes | Weaken the system, disable services | 56 | 57 |
Change Network Settings and Traffic | An app can adjust the network settings as it sees fit. | Network traffic can be monitored or redirected. | 4 | 2 |
Look for Accounts on Device | The application can gather information about accounts that are not connected to the app. | Data mining | 113 | 199 |
Change Security Settings of the System | App is allowed to adjust security settings as it sees fit. | Weaken system security, prepare device for an attack | 2 | – |
This past year, I confronted two developers and asked what their applications need the permissions for. Of course, and I knew this while writing the mail to the developers, they could give me a stock answer or even lie to me. One developer responded within a few days, the other one needed a bit more time, but after a month he replied, too. This year, I repeated this process. And as the deadline for this article passes, there’s no reply as of yet. I will update this article as soon as I hear back.
Browsing the Play Store I noticed applications that list the permissions they use and request in the app’s description. And in that list, there’s information what the permission is used for and why it’s requested. This is commendable and encouraged. Every app-developer should consider doing this, seeing as it not only raises awareness and transparency, but also the amount of trust users can put into the app as well as the developer.
Over the course of a year, not only the Top-500 lists changed, but also the environment the applications operate in. New permissions have been created. When installing the applications on smart phones, only part of the permissions that are actually used by the application is displayed to the user. Compared to the installation via desktop browser, the smart phone at least permits the display of the description texts. This is something that Google should fix as soon as possible.
Users who install an application should do this by using the phone and not the desktop browser. This way, they have a way of checking the permissions that the application requests. Users should always perform this check. Should one or more permissions not line up with the application’s functionality, users are advised to be careful and seriously reconsider installing said application. And although some developers do not respond to user-submitted questions or take a very long time to do so, it is a smart idea to send them a few lines, asking for more information about the permissions.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!