The latest update of the Android Play Store brought with it some sweeping changes on the permissions side of things that managed to slide under the radar for the most part. App permissions will now be grouped into permissions groups which makes it relatively easier for users to see what kind of information and capabilities an app can access your device. So far so good? An unfortunate caveat of this change is that with an application update, new permissions from a group can be requested without requiring approval from users.
It’s a good idea to review permissions groups before downloading an app. Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted.
(Source – Google)
Spotted first by Android developer, Senior Ninja Publishing, the explanation is quite simple. If a user approves a permission group that allows the application to read your text messages, it is now a trivial task for developers to update the application and add the ability to send text messages as well without requiring additional permissions.
- Permissions are now grouped. Users can approve one to approve all of them.
- Common permissions can be used to hide potentially dangerous ones
- The right to deny access to internet connectivity to an application has been removed.
It doesn’t take much to put two and two together and realize how this can be used for nefarious activities. Add to that the fact that the requirement for applications to ask permission for accessing the internet has been removed as it is now deemed an essential feature makes things murkier.
There’s not much that an average end user can do to get around these changes. CyanogenMod’s Privacy Guard and Xprivacy modules are available for rooted users but unrooted users are more or less left without an option. While the update makes installing applications and accessing permissions more accessible for the average user, it is a step backwards in the over all scheme of affairs. What do you think about Google’s move to bundle permissions into groups?
[Relevant Links: Google, Stefan Gofferje, Reddit]