Thursday 28 April 2011

Permissions Denied: tame apps that ask for too much


The Android Market is full of useful apps, but many of them ask for more permissions than you want to give them. Apps that work OK offline want internet access to download ads from banner farms that want to know your location. Some apps ask for permission to make phone calls or send out SMSs for no apparent reason. And do you really want apps that can read your contacts list to go online to nobody knows where?

Yajin Zhou and colleagues at North Carolina State University are making a permissions manager that will let you grant or deny permission to read your contacts, get your location, or track your phone by its unique device identifier, but...

...they've been beaten to it by Stericsson, the maker of Busybox. His app, Permissions Denied, lets you block each and every permission of each non-system app installed on your phone. Block their internet access, stop them from snooping in your contacts list, hide your location, prevent them from autostarting at boot, and much more.

Permissions Denied is free, but there's a donation version available if you want to buy the developer a beer.

Some apps may break when you take away their permissions, but that's no problem. Permissions Denied lets you restore permissions with a few taps.

Some minor things that I'd like to see fixed in the next version:

Permissions Denied lets you switch internet access on or off for an app, but only in an all-or-nothing way. It would be better if we could fine tune this, for example by allowing internet access over WiFi but not over a mobile data connection. But it's not a big deal, because Permissions Denied can play together with apps like DroidWall and AdAway.

The program doesn't always work. Whether it works for you depends on your phone and firmware version. The only way to find out if it does the job for you is by trial and error.

Permissions can only be denied, not spoofed. Some apps break when they don't get the permissions they expect, so an option to spoof permissions (like giving an app a bogus location or contacts list) would be welcome.

And Permissions Denied won't let you edit permissions of system apps. This may stop you from making your system unbootable, but it also stops you from removing permissions for bloatware like MySpace, Facebook, and other non-essential stuff that may be preinstalled on your phone. Too bad, because I'd like to revoke the startup permissions of the totally useless weather widget service that Motorola slammed onto my phone.

Permission Denied, DroidWall, and AdFree all require root access, but if you want to be in control of your phone you'll have rooted it anyway, right?

Permissions Denied in the Android Market
Permissions Denied on code.google.com
tweet this reddit digg this StumbleUpon digg this digg this

Wednesday 13 April 2011

Privacy Settings Manager: maybe we'll be able to control Android app permissions?


There's an Android Market full of apps that ask for way more permissions than they should. Apps that work OK offline want internet access to download ads from banner farms that want to know your location. Some apps ask for permission to make phone calls or send out SMSs for no apparent reason. And do you really want apps that can read your contacts list to go online to nobody knows where?

Unfortunately there's little you can do to control apps with too much of an apetite for permissions. You can keep 'em offline with DroidWall, you can block excessively nosy advertisers with AdFree, or you can simply choose not to install the app at all.

But it looks like we'll get more control. Yajin Zhou at North Carolina State University is making a permissions manager that will let you grant or deny permission to read your contacts, get your location, or track your phone by its unique device identifier. They named their baby "Taming Information-Stealing Smartphone Applications."

It doesn't look like their Privacy Settings Manager will get a built-in firewall, but we already have DroidWall for that.

The app is not available yet, and the authors didn't say when they would release the app and whether it will be free or commercial.

The Privacy Settings Manager is outlined in this paper: http://www.csc.ncsu.edu/faculty/jiang/pubs/TRUST11.pdf (pdf file, so you'll need Adobe Reader or another program that can read pdfs).

If you rooted your phone you can protect your privacy (and possibly your internet bill) with DroidWall and AdAway:

DroidWall
AdAway

UPDATE: Yajin Zhou has been beaten by Permissions Denied from Stericsson. However, Permissions Denied only denies. It doesn't spoof. So please keep going, Yajin!

Permissions Denied
tweet this reddit digg this StumbleUpon digg this digg this