On Sat, Mar 3, 2012 at 9:47 PM, Jeffrey Walton <[email protected]> wrote: > From > http://www.itworld.com/security/255210/google-response-flaw-lets-apps-steal-photos-ditch-insecure-apps-thats-all-them: > > ... all the apps on the Android Market get access permissions from > Android's built-in security, which is so flawed it can't stop applications > from improperly accessing data even when they don't intend to. So, if > Google gets rid of all the apps Android would allow to access data > improperly, it will be getting rid of all the apps. > > "We need a more fine grained permission system on android," > http://lwn.net/Articles/409230/ > > "Dr. Android and Mr. Hide: Fine-grained security policies on unmodified > Android," http://www.cs.umd.edu/~jfoster/papers/acplib.pdf > > "The Effectiveness of Application Permissions," > http://www.cs.berkeley.edu/~afelt/felt-permissions-webapps11.pdf > > And last but not least (its alarming how permissions map to actions in > practice): > > "Android Permissions Demystified," > http://www.cs.berkeley.edu/~afelt/android_permissions.pdf "Fake Android Anti-Virus Records Calls, Steals Info," http://www.securitynewsdaily.com/1987-fake-android-anti-virus.html.
Looking at Symantec's analysis (http://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99&tabid=2), it looks like READ_PHONE_STATE is complicit again. To be fair, this app asked for the world and some users agreed. Taking READ_PHONE_STATE away (or decomposing its permissions) would have only lessened the impact. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
