Automatically updating Android apps could get riskier thanks to a change Google developers have made to the way the OS discloses new app permissions, such as the ability to send potentially costly text messages or track a user's precise geographic location.
Previously, automatically updated apps displayed explicit details when a new version gained additional privileges. For example, an app that previously tracked only coarse GPS coordinates would warn users if an update would begin receiving fine coordinates. Similarly, a newly assigned ability to send SMS messages would also be disclosed. Under changes implemented through the latest Play store app, neither new privilege is displayed if a user has previously accepted any other permission in the same category as the new permission. In other words, by accepting one permission from a category, users agree that every other permission in that category can be added without notification in future updates.
The change is an attempt by Google to streamline and simplify the process of installing updates. Rather than providing lengthy details many users likely don't understand, the new permission disclosure is much less verbose. Permissions are indicated only by a very general category such as Location, SMS, or Contacts/Calendar. Users who want to track precisely how a permission may have changed must click the category to see if specific new capabilities have been added. As a result, an app update that replaces coarse location with fine location simply shows the location category. End users must manually drill down to learn of the change.
"I'd call it a step sideways," Marc Rogers, principal security researcher at Android antimalware provider Lookout, said of the change. "It definitely doesn't improve anything and it introduces some new risks, but I do think it addresses a couple of other issues."
As an example, he said, suppose an updated app acquires the right to view photos.
"I'm not sure users are well equipped to understand the full risk that each category could represent. I doubt as a user I would understand that the implication of that is I'm also giving someone permission to format my SD card. So there is a risk that users who have auto update on will not see this new permission of 'format the SD card' come in and somebody could do something malicious."
The changes have been the topic of sometimes vigorous debate on reddit threads here, here, and here. Users who object to the changes should consider disabling automatic updates. That can be done by opening the Google Play app and switching to the settings view. Auto updating can be set for all apps or just some of them. Google has more details about the permission changes here.
reader comments
123