On Sat, Mar 3, 2012 at 9:47 PM, Jeffrey Walton <[email protected]> wrote: > From > http://www.itworld.com/security/255210/google-response-flaw-lets-apps-steal-photos-ditch-insecure-apps-thats-all-them: > > ... all the apps on the Android Market get access permissions from > Android's built-in security, which is so flawed it can't stop applications > from improperly accessing data even when they don't intend to. So, if > Google gets rid of all the apps Android would allow to access data > improperly, it will be getting rid of all the apps. > > "We need a more fine grained permission system on android," > http://lwn.net/Articles/409230/ > > "Dr. Android and Mr. Hide: Fine-grained security policies on unmodified > Android," http://www.cs.umd.edu/~jfoster/papers/acplib.pdf > > "The Effectiveness of Application Permissions," > http://www.cs.berkeley.edu/~afelt/felt-permissions-webapps11.pdf > > And last but not least (its alarming how permissions map to actions in > practice): > > "Android Permissions Demystified," > http://www.cs.berkeley.edu/~afelt/android_permissions.pdf A new twist just arrived (or it looks new to me). An app with no permissions gets pseudo-READ_PHONE_STATE for free.
""No permissions" Android app allows secret data harvesting," http://www.zdnet.com/blog/hardware/no-permissions-android-app-allows-secret-data-harvesting/19709 Paul Brodeur, security researcher with Leviathan Security Group, has created a proof-of-concept app that shows how an Android application which doesn’t ask for any security permissions is still able to get access to data stored on SD cards, data stored on the handset by other apps, and information about the handset and handset’s Android ID. ... -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
