LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Android trojan steals keystrokes using phone movements (ars technica)

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 27, 2012 17:32 UTC (Fri) by nybble41 (subscriber, #55106)
In reply to: Android trojan steals keystrokes using phone movements (ars technica) by cmccabe
Parent article: Android trojan steals keystrokes using phone movements (ars technica)

> Maybe there needs to be some kind of differential pricing so that apps that ask for a lot of capabilities have to be sold at a more expensive price.

I would recommend charging developers extra for each requested permission, rather than setting a price floor; otherwise, developers could use the pricing rules to justify a higher (and more profitable) price for their apps, while deflecting the blame onto the store. Charging for permissions would have a similar effect on prices, without giving developers a perverse incentive to request excessive permissions.

The revenue from granting permissions could be used to fund additional review to ensure those apps are using the permissions responsibly. Instead of merely saying "this apps wants these permissions", the store could say "this app has been reviewed and certified for these permissions".

(Log in to post comments)

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 27, 2012 17:40 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

I think a lot of grief could be spared by splitting some permissions. One such is separating out a "connect to advertisement networks" from "connect to the Internet", or even to have a whitelist of IP addresses or domain names attached to the Internet permission. Another possibility would be to just have applications actually describe what the permission is used for in the manifest file so that the market can display it. I currently have two upgrades waiting on my Galaxy Nexus because they add the "read sensitive logs" permission with no explanation of why it is needed. They also don't really make sense to have the permission in the first place (Google Voice and My Verizon) and there's no explanation.

Android trojan steals keystrokes using phone movements (ars technica)

Posted May 3, 2012 10:57 UTC (Thu) by robbe (guest, #16131) [Link]

CyanogenMOD allows one to turn off each permission independently. Of course, many apps don't handle denied requests well and will crash... I guess staying at the old version is better than making the application unstable.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds