Permission granted: a compromise on virtual security

By Tanish Pradhan

Today, people not only rely on their devices to work and function, but also form deep emotional bonds with them. Any form of malfunction or glitch in these devices evokes an exaggerated response from the users. People turn them into caches of all their personal information along with making them companions in daily activities. They use a multitude of applications, mostly developed by unknown third parties, to enhance the experience further. However, not much thought is given to how much personal data is disclosed and to whom.

Most well-known operating systems used to deal with the issue of app security by simply screening and testing every application they let the consumers use. They then put out timely updates and patches to deal with newfound security loopholes. However, the Android OS chose to do things a little differently. It made a vast number of applications readily available on an app store with little to no effort put into screening and testing. They alternatively decided to let the users choose whether or not an app was safe to use. The user was permitted certain information on the app’s functions and asked to sign a service agreement, granting the app a set of permissions, before installation. This is where a staggering number of security issues arise.

Malice of malware

Apps like torch and calculator, with seemingly harmless functions, may contain hidden malware. These may target weak spots in the user’s device’s security systems and try to exploit the data made available to them by the user. These can perform a host of actions which may range from a simple annoyance to a devastating event. A popular app having permissions to access the microphone can choose to keep the microphone on to record many of the users’ conversations without them even knowing. This was pretty similar to the case with Amazon’s Echo which had the permission to turn on the microphone just before someone called out its name. To do this, it would ideally require recording using the microphone indefinitely. Instances like this may seem like rare occurrences. However, according to a study conducted of around 4,00,000 apps on the Play Store, more than 50% leaked data such as phone numbers or device location to an ad network.

Some types of malware may also be used to steal information to aid malicious purposes. Others like spyware can be used to track the users’ locations or tap into their cameras or microphones. Some malware may even gain access to the users’ phones, using them to abuse their services, click on online ads, or even download other malware onto the devices. What is truly scary, is how easy it is for the malware to infect the systems. This points to an inherent flaw in Android’s functioning.

Being developer-friendly: boon or bane?

One of Android’s best features is how highly customisable and developer-friendly it is. This, however, turns into one of its greatest flaws really quick. Every hardware vendor makes repeated modifications to the stock software to suit the specific needs of the device. This leaves the software end of the device with some large and easily exploitable security loopholes. This system of modification before rollout also makes it immensely hard to push updates and security patches in a timely fashion. It makes these devices easy targets for hackers due to their susceptibility to security flaws and their inability to tackle them in a timely fashion.

The lax approach taken by developers is also a reason for huge security gaps in phones. They often recycle codes, that is a certain type of particularly tedious code which may have already been written by one programmer may be recycled by another in the development of another app. Hackers often dump scripts online in hopes that they may be picked up by unwary programmers and that their malware may be embedded in the then base-script of new apps. The app-data does not undergo appropriate encryption many times and is easy enough to tap into for anyone who takes the effort of hacking into one’s network. Many developers also choose to forego complete testing of the apps they create. A number of features having concerning security issues remain untested and phone systems are left vulnerable to threats.

Abusive app permissions

More times than not, security becomes secondary to the users themselves. In a bid to squeeze exceptional performance and usage out of their mobile devices, they leave their phones unsecured. App permissions come into prime focus on the usage end. Some of the most abused app permissions have been compiled by TrendMicro:

Network-based location: It is usually used to provide location services based on sources of location such a cell sites and WiFi networks. It can also be widely used to launch location-based attacks or to install malware onto devices.

GPS location: It is used to track a user’s exact location through the Global Positioning System. It can be abused by hackers in a similar manner to network-based location services.

View network state: It allows apps to check for network connections such as cell service or WiFi. It can also be used to schedule updates or connect to servers. Malware may use this feature to perform other malicious functions by spotting available networks. They may also turn on these network connections without the user’s knowledge.

View WiFi state: It is used to gain information on the device’s WiFi connection. It may, however, be misused to gain access to WiFi passwords and hack into networks, providing alternative gateways to the user’s data.

Retrieve running apps: It lets apps identify running tasks and processes. It can be used to collect information on other apps or even to kill security applications, exposing the device to further threats.

Full internet access: It may be used by malware to connect to the internet and to fulfil an alternative agenda, like communicating with servers or downloading additional malware.

Automatically start at boot: It is used to automatically start applications every time one boots the device. It may be used to start malicious apps without the user’s knowledge.

Modify and delete SD card content: It lets apps modify external storage information. Malicious apps may also use it to read and send personal information to command centres.

Need for security measures

Most permission violations are easily preventable if the users take simple preventive measures. Taking the time to go through the permissions required by the app before accepting is essential. Users can use their intuition to ask simple questions like why a particular permission is required by an app. If something seems to be fishy, the user can send an email to the developer. In case of no reply or unsatisfactory justification, the user shouldn’t install the app. This elimination method of installation will help prevent most malignant intrusions through permission loopholes. However, it is a good idea to have a secondary security option.

Today, people’s phones have as much official and personal information as their personal computers, which is why privacy of data is of paramount importance. It would not take much effort for a hacker to invade devices and misuse sensitive information. Hence, it is important for them to have all the security measures working on their phones along with their computers. A sufficiently superior security software would not only set up a firewall to keep out malware, but it would also make sure the right measures are in place to prevent hacking and spyware. Furthermore, it is also important to optimise security and privacy settings as soon as the device is purchased.

Is it 1984?

People have started trusting their gadgets with more information than they ever did. They entrust them with information such as their likings and preferences, relationship information, work schedules, travel plans, educational data, images and profiles, and even bank information. It takes minimal effort for someone with the right resources to take the trusted gadgets and turn them malicious. In the dystopic world painted by George Orwell in his classic novel—1984—he spoke of the aggressive invasion of privacy with large screen-like devices which record everything said and done, prying into the most intimate spaces of people’s lives. The only difference is that today people have the devices in their pockets.

Featured Image Courtesy: Visual Content via / CC BY