Weekly Edition
Return to the Security page
| |||||||||||||
Phones and permissionsThe Android permission system for applications ("apps" these days) is an all-or-nothing affair; one can either grant all the permissions that the app asks for, or deny them and not install it. While it is useful to know what permissions are being granted, it would be even more useful for security and privacy conscious users to be able to selectively deny certain permissions—especially those that have no clear connection to the proper functioning of the app. The CyanogenMod (CM) alternate Android firmware has had this ability in its tree since mid-May, but a newer patch that builds on that functionality has been met with resistance from a somewhat surprising direction. The original patch from Plamen K. Kosseff to add permission revoking was accepted after working out some difficulties with apps that crashed when they didn't have the permissions they expected. In addition, enabling permission revocation involves a setting in the "Performance Settings" menu of CM configuration, which means that the project is free to ignore any bug reports generated from the feature. Kosseff then went on to post a patch for review building on that earlier work, and allowing users to allow certain permissions in a "spoofed" mode. The specific example he used was to spoof the phone's International Mobile Equipment Identity (IMEI) number, rather than allow an app access to the real IMEI—that didn't sit well with some CM developers, including CM founder Steve Kondik. The choice to start by spoofing the IMEI was perhaps unfortunate, as Kosseff has ideas for other, probably less-controversial privacy features. For example, in the comments on the patch he describes other possible uses, including restricting what information in the contacts list gets handed to apps, or only showing a portion of the SD card contents to apps. Either of those are obvious improvements to privacy, and ones that shouldn't cause any problems for app developers. The main objection to returning a bogus IMEI value (or the related idea of returning a bogus SIM ID and phone number) is that app developers use that information for data-gathering purposes. While that data gathering might be used for malicious purposes, the clear sense from the comments on the patch is that most app developers are using it for demographic and usage information that is, at least relatively, benign. Kondik and others are concerned that creating a "hostile environment" for app developers will lead to problems for CM, either from the app developers themselves or from larger organizations like Google, handset makers, and cellular service providers. But, as Kosseff asks, shouldn't the user be able to make the decision about what information they share with apps? For IMEI and related information, the answer from the CM developers seems to be "no". It seems somewhat counter-intuitive that a phone distribution with the goal of unlocking the full potential of the hardware would draw that particular line. Others, perhaps the Guardian project for example, are likely to take a different stance. Part of the issue is that it is unclear what is "owed" to the app developers for use of their code. For paid apps, the line is a little less blurry, as one can expect that those developers aren't owed any more than was paid. For gratis apps, things get a little more hazy. If one grants permission to see the contact list to latest bouncing cow game, is it reasonable to revoke that permission, or to provide an empty list? In addition, many gratis apps use the network permission to grab advertisements to show within the app. That is part of the revenue model the developer is using to fund app development, so is it fair to turn that off? On the flip side, should the app refuse to run if it can't call home for ads? There aren't necessarily any easy answers to some of those questions. Avoiding apps that request more permissions than they really need is certainly one way around the problem, but the permissions aren't really fine-grained enough to prevent abuse. If one grants an ebook reading app permission to use the SD card (presumably to store any books that are being read), does that mean it should be able to go poke around and see what other ebook apps are being used? It will also presumably need network permissions to grab content from various places, can it also use them to phone home with a copy of one's reading habits? This is yet another area where free (as in freedom) software can help. There are certainly plenty of users who will be happy to play an ad-supported bouncing cows game, without disabling the network out from under it, if they are sure that the game isn't using its permissions for ill. Likewise, there are plenty of legitimate reasons that an app might need to access the contact list, so long as one can be sure that it isn't sending the contents to spammers (of the voice, SMS, IM, or email kind). For most consumers, any of these safeguards are essentially pointless. As we have seen in the consumer PC world, users will install almost anything, from anywhere, even overriding security warnings from the OS, if it will get them the latest game, mouse cursor, or video content. There's not much hope of changing that, but for the rest of us, who might just care about the data we store on our phones, having more control over the permissions we grant to apps will go a long way toward solving these kinds of problems. A rich ecosystem of free software apps would go even further. (Log in to post comments)
Phones and permissions Posted Jun 3, 2011 11:56 UTC (Fri) by juanjux (guest, #11652) [Link]
Also, IMEI spoofing is illegal on most countries. I think illegality applies to the connection of the phone with the towers and not related to the IMEI that the phone provides to the apps, but it is a dangerous zone anyway, and could make CyanogenMod illegal.
A solution for those that really wanted to spook the IMEI would be to install an image over CyanogenMod enabling this feature.
Phones and permissions Posted Jun 3, 2011 12:09 UTC (Fri) by rvfh (subscriber, #31018) [Link]
There's not that much point in spoofing the IMEI anyway: it only identifies the phone hardware. Spoofing the IMSI (the SIM identifier) which is linked to the subscripter seems a lot more interesting. The phone number (MSISDN) is not always available on the phone (only from the HLR using the IMSI), but it could be a good idea not to return it at all even if it is.
Phones and permissions Posted Jun 5, 2011 4:13 UTC (Sun) by cas (subscriber, #52554) [Link]
spoofing the IMEI to the phone network is illegal in many places.
spoofing the IMEI to an application that has nothing to do with the phone network is not. The app is merely using the IMEI as a convenient unique identifier for infringing the users' privacy and has no legitimate right to it.
Phones and permissions Posted Jun 3, 2011 14:14 UTC (Fri) by PhracturedBlue (subscriber, #4193) [Link]
I won't comment on the IMEI specifically, but the general question of what the App owners are 'owed' seems to be the same question as what a web-page owner is 'owed'. Are they owed the right to display ads on my computer in exchange for the content? There are tools like ABP to stop displaying ads on web-pages, and while they are somewhat controversial, they are heavily owned. If I decide it is ok by my beliefs to use ABP, then I'm likely to feel that I should be able to do the same thing on my phone (and that would go for all personal info). I'm not sure how it fits into CyanogenMod specifically though. Firefox doesn't provide ad-blocking, I need a 3rd party plugin for that. I don't begrudge CyanogenMod the same decision, but it would be nice if we could get the same functionality from a 3rd-party source.
Phones and permissions Posted Jun 4, 2011 2:57 UTC (Sat) by felixfix (subscriber, #242) [Link]
I suppose I am pretty simple minded here. I think it is quite proper for the user to deny internet access to apps which don't seem (to the user) to need it, and if the app really does need it (map program!), it crashes or maybe recognizes the missing permission and exits with a message saying why. If the app only wants it for ads, and the app dev wants to not run without it, that is perfectly fine with me.
None of this seems like a very big problem to me. Users should be able to deny any permissions. App devs should be able to choose any reaction from crashing to detecting and explaining why the permission is needed.
As an aside, I wondered right from the start why Google didn't allow users to tailor permissions for apps.
Phones and permissions Posted Jun 4, 2011 11:36 UTC (Sat) by ScottMinster (subscriber, #67541) [Link]
Applications that run on my computer are essentially extensions of me. If Firefox does something, it is doing it on my behalf. If an application does something I do not authorize or against my interests, it is buggy.
It is quite strange to me that we are starting to think of mobile phone applications not as extensions of the user running that app, but as an extension of the person who wrote the app. Perhaps it's because we've become used to website apps, or because mobile phones (at least in the US) are often controlled by 3rd parties (the phone network operators) so we don't expect users to be in control. But I think this is a dangerous way of thinking, one that runs contrary to FOSS ideals. The user should absolutely be empowered to disable or fake whatever information the application can see, especially if the app is user-hostile.
Phones and permissions Posted Jun 4, 2011 3:08 UTC (Sat) by nlucas (subscriber, #33793) [Link]
And why not just return an hash of the IMEI + one application ID?
It will still allow each application to track it's users, has it has access to an unique user ID, but that hash can't be cross-referenced with other applications hashes, which I believe will safeguard most users privacy concerns.
The same can be done with other private phone IDs, like the IMSI.
Phones and permissions Posted Jun 5, 2011 13:46 UTC (Sun) by lab (subscriber, #51153) [Link]
> And why not just return an hash of the IMEI + one application ID?
> It will still allow each application to track it's users, has it has access to an unique user ID, but that hash can't be cross-referenced with other applications hashes, which I believe will safeguard most users privacy concerns
A scheme of this nature is indeed what Google recommends in its guidelines, since mostly you actually don't _need_ the IMEI, but rather just a unique identifier, and so you can avoid asking for that permission needlessly. Specifically, the recommended scheme is to simply generate a GUID, and for that you don't need the IMEI at all.
Phones and permissions Posted Jun 5, 2011 15:49 UTC (Sun) by nlucas (subscriber, #33793) [Link]
The problem with the GUID is that it will be different if the application is re-installed, which will limit it's usefulness. This makes the lazy in us just return the next available unique thing, which is probably the IMEI, or the IMSI.
By hashing the IMEI (and other IDs) with an application ID (maybe some ID of the application on the "market"), the application can be sure it is on the same user phone, but each application will get a different ID.
Is there an unique application ID on the "application market"? One that doesn't change if a new version of the same program is released?
Phones and permissions Posted Jun 6, 2011 11:29 UTC (Mon) by asymptote (guest, #75083) [Link] Part of the issue is that it is unclear what is "owed" to the app developers for use of their code. In my opinion this is incorrect; developers who presume to use the private information of users are the parties who are in debt, not the users themselves. Even the most basic reading of relevant legal statutes, for example the British Data Protection Act, makes this clear. Users do not owe the IMEI, IMSI, serial number, or any persistent and uniquely identifying token to developers. Ever. I'm surprised people have already forgotten about the uproar surrounding the uniquely identifying serial number in Intel Pentium III chips. For most consumers, any of these safeguards are essentially pointless. This is an issue that non-technically inclined users care about, regardless of the comments by the author to the contrary, or else how else would you explain the outrage to proposals like the US REAL ID Act and the British Identity Cards Act 2006?
Phones and permissions Posted Jun 7, 2011 15:32 UTC (Tue) by ortalo (subscriber, #4654) [Link]
Agreed. My initial reaction to this article was that it was the recording and centralization of the IMEI number as an indirect mean of tracking phone users was that not legal (at least under the usual European personal data protection laws I am used to).
I find pointless to put the ability of spoofing the IMEI under scrutiny: I'd like that to be a basic right first, even for those who do not want to exercise it. However, the first thing to examine would be the way such apps record user data...
Phones and permissions Posted Jun 7, 2011 20:47 UTC (Tue) by docwhat (subscriber, #40373) [Link]
I would be willing to hold off on spoofing that info until a generic API in Android could be added to collect information about the hand-held in a private way.
I'd imagine something like a blob of pre-generated data including the device info, hardware type, a unique user identifier, os version, etc. that could be given to developers for tracking trends, etc.
But asking for the IMEI, IMSI, etc. seems like a ridiculous breach of privacy.
Phones and permissions Posted Jun 9, 2011 3:27 UTC (Thu) by Hausvib6 (guest, #70606) [Link]
I smell a fork here or at least out-of-tree patch/mod of a mod.
Phones and permissions Posted Jun 9, 2011 21:47 UTC (Thu) by Felix_the_Mac (guest, #32242) [Link]
These features make CyanogenMod REQUIRED rather than just cool and nice to have.
|
|||||||||||||