Android Permissions – A Top-500 Analysis 2014

Android Permissions

A Top-500 Analysis 2014

Oliver Kunz
by Oliver Kunz
time to read: 14 minutes

Development of smart phones continues at an incredible speed. Be it the operating system on the device or the myriad of apps that are available for the devices. A central element right from the get-go when developing applications was security. A year ago, I analysed the permissions of the Top-500 Android Apps in the Google Play Store. A year later, it’s time to repeat this analysis.

An Overview

Compared to 2013, quite a number of things have changed over at the _Google Play Store_. Among these changes is the presentation of the permissions to users. Last year, a shortened list was visible to users and after that, should the user actually spot that link, the other permissions needed for the application could be looked at. While there were 11 different permission-groups last year, this year, there’s 27 of them. The permission group Mailbox was only used in free applications.

Said 27 permission groups are as follows.

  1. Network Communication
  2. System Tools
  3. Affects Battery
  4. Storage
  5. Phone Calls
  6. Your Applications Information
  7. Your Accounts
  8. Location
  9. Your Social Information
  10. Bluetooth
  11. Camera
  12. Your Messages
  13. Sync Settings
  14. Audio Settings
  15. Your Personal Information
  16. Microphone
  17. Development Tools
  18. Wallpaper
  19. Lock Screen
  20. Other Application UI
  21. Bookmarks and History
  22. Status Bar
  23. Read User Dictionary
  24. Write User Dictionary
  25. Alarm
  26. Clock
  27. Mailbox

Another thing that’s changed was the number of the standard permission groups listed in the API Reference (API Level 19). As of March 2014, there are 31 groups. In 2013, there were only 30. Google has added a permission group for accessibility access.

The number of permissions that can be used by applications has also risen. In addition to the 130 documented permissions in 2013, there are 15 new ones as of March 2014. In addition to that, developers can still add permissions at their own discretion. This means that there are much more than 145 permissions in total.

The Top-500

Google Play Store has more than one set of charts. In this analysis, I’ve had a look at the Top-500 paid applications as well was the Top-500 free applications. These lists and the corresponding data were extracted from the Store on Monday, March 3rd 2014, and analysed in the following days.

Free Apps

All permissions used in free apps - Click to enlarge

The graph titled All permissions used in free apps shows every permission group found in the Top-500 free applications. Compared to 2013, 15 new permission groups were added. The five most-used permissions are:

  1. Network Communications
  2. System Tools
  3. Affects Battery
  4. Your Accounts
  5. Storage

The following graph, titled Number of permissions per permission group, free apps, shows the various permissions per group. Leading there is System Tools with 24, followed by Your Accounts with 15 and Your Messages with 10 different permissions.

Number of permissions per permission group, free apps - Click to enlarge

Eleven of these permissions were found in over 100 applications. The biggest spread was found in two permissions from the group Network Communications. These are Full Network Access and View Network Connections. The third spot is held by the permission of accessing USB Memory, titled Modify or Delete the Contents of your USB Storage. Of the other applications, there ones concerning Network Communications as well as Find Accounts on the Device are remarkable in terms of security. Especially the latter: It allows the application to look at all your stored personal accounts that you’ve set up under Settings/General/Accounts in Android Version KitKat.

Popular permissions in free apps - Click to enlarge

Next, I had a look at the number of permissions requested, mapped to the number of applications. On average, there are 11 permissions requested per application. Compared to 2013, I noticed a big difference regarding applications that request a lot of permissions. Record-holder this year is an application that uses 50 permissions. This is an AntiVirus solution called AntiVirus Security – FREE) published by AVG Mobile. It also becomes apparent that there are only few applications that use a great number of permissions. This becomes evident in the graph below.

Number of permissions requested per application, free - Click to enlarge

Paid Apps

All permissions used in paid apps - Click to enlarge

Just like we can see in the free applications, the Top-500 paid applications have 26 different permission sets. The five most-used ones are:

  1. Network Communications
  2. System Tools
  3. Affects Battery
  4. Storage
  5. Phone Calls

These charts mirror the top three from the top permissions in free apps. Leading is Network Communications, followed by System Tools and Affects Battery.

Permissions per group, paid apps - Click to enlarge

Analysing the permissions that are used in more than 100 applications, it becomes obvious that the paid apps once more mirror the free ones. There are 11 permissions that are used in more than 100 applications. Leading the field is also Full Network Access. Modify or Delete the Contents of Your USB-Storage holds the #2 spot on this list, where it is on #3 when looking at the free applications. Finishing off the top three is Test Access to Protected Storage.

Popular permissions in paid apps - Click to enlarge

Mapping the number of permissions to the applications that use them, a similar pattern to the one from last year emerges. Topping off the list is AVG Mobile with the paid version of their AntiVirus solution – Mobile AntiVirus Security PRO.

Number of permissions requested per application, paid. - Click to enlarge

Of general interest are applications that manage to function without requesting any permissions. When looking at the paid applications, it becomes apparent that these applications are often licensing keys that unlock the full potential of a free app. In the past year, I was able to identify quite a number of licensing keys or applications that handle donations, where the buyer submits a certain amount of money to the developers on purchase. However, this year a new category was added: Add-Ons.

There were 34 applications that don’t request any permissions. About a dozen of those had independent functionality. The majority, however, can be sorted into the following categories:

Most applications that don’t request any permission are licensing keys and activate the full version or previously installed applications.

No permission requested, paid applications - Click to enlarge

Further Permissions in the Top-500

The following table contains further permissions that are of note. However, they’re not notable because of their frequency but because of what they can do.

Permission Description Scenario Frequency in paid apps Frequency in free apps
Read Phone Status and Identity Access phone number and device-ID (IMEI), the phone number of the call recipient and the calling state of the phone Information gathering: Distinctive Identity and usage statistics as well as identity of call recipients 175 270
Call Numbers Directly Dial phone numbers without using the Android-Dialler and potentially without the knowledge of the user Create additional costs, surveillance of phone calls 23 29
Download Files without Notification Downloading files using the download manager Content, this includes malware, gets downloaded after the app’s installation 1 4
Change System Settings An app can adjust the system’s main settings according to its wishes Weaken the system, disable services 56 57
Change Network Settings and Traffic An app can adjust the network settings as it sees fit. Network traffic can be monitored or redirected. 4 2
Look for Accounts on Device The application can gather information about accounts that are not connected to the app. Data mining 113 199
Change Security Settings of the System App is allowed to adjust security settings as it sees fit. Weaken system security, prepare device for an attack 2

Confronting Two developers

This past year, I confronted two developers and asked what their applications need the permissions for. Of course, and I knew this while writing the mail to the developers, they could give me a stock answer or even lie to me. One developer responded within a few days, the other one needed a bit more time, but after a month he replied, too. This year, I repeated this process. And as the deadline for this article passes, there’s no reply as of yet. I will update this article as soon as I hear back.

Browsing the Play Store I noticed applications that list the permissions they use and request in the app’s description. And in that list, there’s information what the permission is used for and why it’s requested. This is commendable and encouraged. Every app-developer should consider doing this, seeing as it not only raises awareness and transparency, but also the amount of trust users can put into the app as well as the developer.

Summary

Over the course of a year, not only the Top-500 lists changed, but also the environment the applications operate in. New permissions have been created. When installing the applications on smart phones, only part of the permissions that are actually used by the application is displayed to the user. Compared to the installation via desktop browser, the smart phone at least permits the display of the description texts. This is something that Google should fix as soon as possible.

Users who install an application should do this by using the phone and not the desktop browser. This way, they have a way of checking the permissions that the application requests. Users should always perform this check. Should one or more permissions not line up with the application’s functionality, users are advised to be careful and seriously reconsider installing said application. And although some developers do not respond to user-submitted questions or take a very long time to do so, it is a smart idea to send them a few lines, asking for more information about the permissions.

About the Author

Oliver Kunz

Oliver Kunz has been in information security since 2010. Mainly, he deals with incident response, forensics and the security of mobile devices.

Links

You want to test the strength of your enterprise regarding malware attacks?

Our experts will get in contact with you!

×
Passwordless Authentication

Passwordless Authentication

Tomaso Vasella

Data Markets

Data Markets

Marc Ruef

Transport Layer Security

Transport Layer Security

Andrea Hauser

Diversify AI

Diversify AI

Marisa Tschopp

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here