Security warning: Android Play store does not ask if apps want new permissions on update

Submitted by Stefan Gofferje on Sat, 05/31/2014 - 09:06

German IT-news service heise online reports about a dangerous change which comes with the update of Google's Android app store "Play". According to heise, after the update, app permissions will be organized in groups and apps can request new permissions from a permission group for which they already have permission, without additional user approval. Until now, users have to explicitly approve every newly requested permission on update.

Heise describes a number of examples. So could an app which has asked group permissions to read contacts, later secretly gain permission to e.g. add or even change calendar entries. Or an app which originally only had the permission to read the call-log, could secretly suddenly gain permission to initiate phone calls without the user's knowledge or approval.

Additionally, Google has completely removed the need for apps to ask permission to connect to the internet because "nowadays apps pretty much always do that".

These changes have massive and serious device security and privacy implications! I strongly recommend users to not approve this update of the Play store app! Additionally, using 3rd party ROMs, like CyanogenMod with it's integrated privacy protection functions, is strongly recommended.