Matthew Garrett ([personal profile] mjg59) wrote2017-01-22 11:41 pm
Entry tags:

Android permissions and hypocrisy

I wrote a piece a few days ago about how the Meitu app asked for a bunch of permissions in ways that might concern people, but which were not actually any worse than many other apps. The fact that Android makes it so easy for apps to obtain data that's personally identifiable is of concern, but in the absence of another stable device identifier this is the sort of thing that capitalism is inherently going to end up making use of. Fundamentally, this is Google's problem to fix.

Around the same time, Kaspersky, the Russian anti-virus company, wrote a blog post that warned people about this specific app. It was framed somewhat misleadingly - "reading, deleting and modifying the data in your phone's memory" would probably be interpreted by most people as something other than "the ability to modify data on your phone's external storage", although it ends with some reasonable advice that users should ask why an app requires some permissions.

So, to that end, here are the permissions that Kaspersky request on Android:
  • android.permission.READ_CONTACTS
  • android.permission.WRITE_CONTACTS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.READ_PHONE_STATE
  • android.permission.CALL_PHONE
  • android.permission.SEND_SMS
  • android.permission.RECEIVE_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.SUBSCRIBED_FEEDS_READ
  • android.permission.READ_SYNC_SETTINGS
  • android.permission.WRITE_SYNC_SETTINGS
  • android.permission.WRITE_SETTINGS
  • android.permission.INTERNET
  • android.permission.ACCESS_COARSE_LOCATION
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.READ_CALL_LOG
  • android.permission.WRITE_CALL_LOG
  • android.permission.RECORD_AUDIO
  • android.permission.SET_PREFERRED_APPLICATIONS
  • android.permission.WRITE_APN_SETTINGS
  • android.permission.READ_CALENDAR
  • android.permission.WRITE_CALENDAR
  • android.permission.KILL_BACKGROUND_PROCESSES
  • android.permission.RESTART_PACKAGES
  • android.permission.MANAGE_ACCOUNTS
  • android.permission.GET_ACCOUNTS
  • android.permission.MODIFY_PHONE_STATE
  • android.permission.CHANGE_NETWORK_STATE
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.ACCESS_WIFI_STATE
  • android.permission.CHANGE_WIFI_STATE
  • android.permission.VIBRATE
  • android.permission.READ_LOGS
  • android.permission.GET_TASKS
  • android.permission.EXPAND_STATUS_BAR
  • android.permission.CAMERA
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.BATTERY_STATS
  • android.permission.MODIFY_AUDIO_SETTINGS

Every single permission that Kaspersky mention Meitu having? They require it as well. And a lot more. Why does Kaspersky want the ability to record audio? Why does it want to be able to send SMSes? Why does it want to read my contacts? Why does it need my fine-grained location? Why is it able to modify my settings?

There's no reason to assume that they're being malicious here. The reasons that these permissions exist at all is that there are legitimate reasons to use them, and Kaspersky may well have good reason to request them. But they don't explain that, and they do literally everything that their blog post criticises (including explicitly requesting the phone's IMEI). Why should we trust a Russian company more than a Chinese one?

The moral here isn't that Kaspersky are evil or that Meitu are virtuous. It's that talking about application permissions is difficult and we don't have the language to explain to users what our apps are doing and why they're doing it, and Google are still falling far short of where they should be in terms of making this transparent to users. But the other moral is that you shouldn't complain about the permissions an app requires when you're asking for even more of them because it just makes you look stupid and bad at your job.

It's a lost fight

(Anonymous) 2017-01-23 08:45 am (UTC)(link)
I don't think there is a way to fight that, if you use standard android phones with google play you are bound to have your privacy invaded, I do and I made peace with it, it's the sad state of the mobile world currently

Re: It's a lost fight

(Anonymous) 2017-01-23 09:55 am (UTC)(link)
Just curious, but how do you expect a vulnerability scanner to scan files that is does not have permission to?

Re: It's a lost fight

(Anonymous) 2017-01-23 10:07 am (UTC)(link)
The article does not criticise access to external storage but unrelated permissions.

Re: It's a lost fight

(Anonymous) 2017-01-23 12:21 pm (UTC)(link)
Access audio? Send SMS?

Did you even read the article?

Re: It's a lost fight

(Anonymous) 2017-01-23 08:19 pm (UTC)(link)
How do you expect it to scan conversations around you for unsafe words if it can't silently enable your microphone?

It can't keep you safe from yourself if it lets you disable critical permissions! /s

Re: It's a lost fight

(Anonymous) 2017-01-27 01:26 am (UTC)(link)
He's right, On a computer, antivirus applications have root (administrator) access. Rootkit scanners and firewalls may also have administrator or root level access. KSN or the Kaspersky Security Network which is suggested during install when you install any Kaspersky product in Microsoft Windows basically turns over everything about you, your computer, and hash of your files to Kaspersky.

Who do you trust the least? Microsoft, Kaspersky, Romainian antivirus, or the Government. Well, they all state inside the license agree they work with governments. In that respect, you are better off not using any of these products.

That's beside the point, many computers made in the past 10 years have a tracking chip which cannot be removed or is very difficult to remove. Smartphones themselves are tracking devices.

Open source code is no help, because everybody runs binaries and automated installers. I hate to say this but Redhat Enterprise is the likely the most secure environment - secure as you can get anyway and since it's commercial, someone can be held responsible in the court of law. That doesn't mean the government has not inserted a trojan horse which will activate when you run gpg.

Re: It's a lost fight

(Anonymous) 2017-05-25 10:39 am (UTC)(link)
I won this fight with XPrivacy (requires XPosed framework). 3C toolbox can also protect you (also requires XPosed fw).

Good points

(Anonymous) 2017-01-23 10:11 am (UTC)(link)
Your articles raises absolutely legitimate points of concern.

I wrote a similar article a few days ago at (apologies if it might seem spammy)

user agent

(Anonymous) 2017-01-23 11:34 am (UTC)(link)
The problem is not permissions, it's the trust you can put in software components, to behave on your behalf.

Assuming a trusted hardware platform (this is already a whole can of worm in itself), the user can only trust the software he wrote himself, or the software of which he has the sources, sources that are understandable, and that the user can compile with a trusted compiler.

Granted, every steps in this process are difficult, but there's no way out. Otherwise, you have to trust strangers such as Meitu or Kaspersky, and give them the key of your house!

Re: user agent

(Anonymous) 2017-01-23 06:17 pm (UTC)(link)
Or maybe you don't trust any of them which sounds like a sane choice.

// Artem S. Tashkinov


(Anonymous) 2017-01-23 02:44 pm (UTC)(link)
Why do we have to accept or reject all the permissions at once, and before installing the application?

Can't we instead let the application install and then, when it tries to access sensible information, Android should ask us if we want to allow that action? or to always allow/deny it?

If it's ok, everything is fine, else the developer have to handle it.

So when an application tries to access your contacts, you can reply: no you don't, never, thank you.

Even better in my opinion would be three choices, allow, deny, and give forged/fake information. I wouldn't mind making a fake contact list with some of my emails and see if i get spam after some application had access to it. Or giving gps information for another place, because that one application doesn't let you choose your location.

As for disk access, i'd like to jail an application to only one selected folder, and not letting everybody have a look at what's on my sdcard. For example, i'd like to lock VLC and MX Player to a Media folder and subfolders, and nothing else.

And disabling network access to some applications (without having to install no-root firewalls and such), that would be great too.

Re: Permissions

(Anonymous) 2017-01-23 03:43 pm (UTC)(link)
>Why do we have to accept or reject all the permissions at once, and before installing the application?

>Can't we instead let the application install and then, when it tries to access sensible information, Android should ask us if we want to allow that action? or to always allow/deny it?

Um.. that's exactly how it works since API 23 (Android 6 aka Marshmallow).

Re: Permissions

(Anonymous) 2017-01-23 06:15 pm (UTC)(link)
+ 1.

Re: Permissions

(Anonymous) 2017-01-26 07:54 pm (UTC)(link)
Ouch, i'm still using 4.0.1 :D

Re: Permissions

(Anonymous) 2017-01-27 07:30 pm (UTC)(link)
4.0.1 - API 14, October 19. Year 2011.

Just 5 years outdated...

(Anonymous) 2017-01-23 03:51 pm (UTC)(link)
>Why should we trust a Russian company more than a Chinese one?

Perhaps because one is requesting those permissions for an app applying watermarks, and the other for a mobile antivirus? You might realize there exists a certain slight difference between the two programs' functionality and, consequently, access required.

But don't mind me, "THE EVUL RUSKIES DID IT" is a perfect argument in and by itself, don't let anyone tell you it requires a logical justification.


(Anonymous) 2017-01-23 06:14 pm (UTC)(link)
The definition of "evil" is indeed moot in this context, but Kaspersky's connections to FSB, the K Department and Putin are well known in Russia.

I'm Russian and I don't trust Kaspersky at all. Never did and never will. Specially after they started MITM'ing all your SSL traffic and injecting dubious JS code roughly three years ago.

Good luck with Kaspersky though.

// Artem S. Tashkinov

to raise the issue

(Anonymous) 2017-01-23 05:37 pm (UTC)(link)
Hi, I was searching to post this, since I don't have the necessary expertise to fully check myself but if you have some time and curiosity check out the Mi Fit app ( ), I consider it even a greater threat to privacy than these 2, since it gather ALSO your health data from the xiaomi mi band 2. If you'd be interested to check, i would be even willing to buy you one, it's only 15dol

Let's be honest here

(Anonymous) 2017-01-23 06:10 pm (UTC)(link)
Kaspersky on your phone is a sort of malware and an app to siphon your personal data. They just pretend to be an AV product.

Android doesn't need one unless you install apps from sources other than Google Play. But then you're f*cked anyways because Kaspersky heuristics has never worked and never will work.

Hypocrisy is indeed brimming over here.

// Artem S. Tashkinov

(Anonymous) 2017-01-23 07:11 pm (UTC)(link)
> Every single permission that Kaspersky mention Meitu having?
> mention

I believe you meant "mentions".

Ah, differences in English

(Anonymous) 2017-02-01 10:15 am (UTC)(link)
Ah yes, I do believe that's a difference between the Queen's English and American--that is, the treatment of an organization as singular or plural.

(jzbiciak -- too lazy to create an account.)

Related articles & tools

(Anonymous) 2017-09-14 03:23 am (UTC)(link)
Kaspersky Secure Connection VPN service is free, but Android users aren't happy with the permissions it requires

Practice what you preach, Google

Permissions — “May I? May I? Pleaaaaase!”

Privacy tools:

App Ops
3C toolbox
Startup Manager
Appbrain Ad Detector
Xposed (Xprivacy)

Control your app permissions on Android 6.0 and up

How to manage Android app permissions

Control app permissions without root