Google needs to rethink permissions, a proposed solution

There has been a number of reports of trojans and malware embedded in what seem to be legitimate android applications. Applications such as the one described in this link, will appear to do the task that it was installed for, while performing another more sinister task.

While such malware is common on unofficial android app stores, they can also be found on the official Google Play app store. So what can you do to stop such malware from infecting your phone.

Virus Protection Apps

Well the most common choice is a virus protection program. While they may be good at detecting and removing viruses, they are not fool proof, see this report (link). The more preventive choice would to not install applications in the first place. While this may be an obvious statement, it is not practical, especially since one of the benefits of a smartphone is the ability to enhance it with new applications.

Application Review

Another approach, would be for Google to go the iTunes route of verifying each application, before becoming available to the public. However, this delays application release, which is not good if your release is an update for an important bug fix. Instead Google, being Google, implemented an automated verification service called Bouncer. This service runs on Google servers, so users are oblivious to it. Bouncer, however is new and probably not fool proof either yet.

Current Permissions System

Another system that Google have in place is the permissions system. In this, each application that needs to access resources, needs to indicate this intent in a file that is part of the application. When a user installs the application from the app store, the file is read, and each permission that the application requires is displayed prior downloading the application.


Proposal for New Permissions System

In an ideal world the user would read the permissions and decide, for example, if the wallpaper app really needs access to contacts list. However, most users skip the permissions are being displayed out of ignorance or a rush to download the app.

The problem with the permissions page is that permissions that do not seem that important are displayed in the same format as ones that do. For example, a video streamer may require permissions to access the Internet, access to local storage, and a number of other permissions, all required for the application, legitimately. However, it may also ask for access to your contacts, hoping that users will miss this request amongst the other permission requests.

What needs to be done is to emphasize the permission in some way, such as making the text bold and colored differently. That would be one way of alerting the user, but another step, such as aa dialog, would be much better. It would only highlight the permissions for that can be used for viruses, such as personal information access rights.

However, in some cases it may not be obvious to the user why the developer has innocently asked for a particular permission, and the application may be rejected by the user. For example, a calculator app may require internet access permissions to display advertising. So another good enhancement would be to tell the user why a particular permission is required. So developers will also need to supply a reason why each permission is needed, and be displayed to the user.


Since, Android users vary from complete beginners to smartphones, to experienced highly technical ones, this feature should be configurable. That is, it can be turned off completely, have different levels (high, medium, low), or more granular control where alerts could be set individually for each permission.



So by changing the installation process in such a way, users are alerted on what vulnerable permissions the application is trying to access, have information on why the application needs to use the resource, and therefore they can make a more informed decision before going ahead and installing the application.