13.3 C
New York
Saturday, Sep 24, 2022
Business

Android 8 and app permissions: the complete guide

Android allows you to configure app permissions to protect your data and restrict access to malicious features. Here’s how to do it and why to do it.

The variants of Android currently in circulation could be thousands, as each smartphone manufacturer modifies the system according to its needs, and sometimes these changes are not always positive. In any case, the core of top Android continues to be a well-designed operating system and its security improves with each new version.

To be precise, security improves if the user does things right. To access a variety of interesting information in shared memory areas or features that may not be secure, Android apps need explicit permission from the user. And it is important to properly set the permissions that you grant.

In another post we talked about how to configure these settings on Android 6; today, however, we will analyze a more recent version of the operating system, namely Android 8. First, version 8 has more settings than in the past, which can be good and bad at the same time. Good because they make the system more secure, bad because configuring these settings is now more complicated and takes more time. Also, the settings are organized differently and sometimes this organization is not that intuitive. Do not worry, thanks to this guide, you will have everything at your fingertips.

Configure permissions through the app permissions list

this list contains the permissions that allow apps to access certain personal information on the smartphone (contacts, call log, SMS, photos, etc.) and in the integrated devices through which some data can be traced (camera, microphone, telephone , GPS receiver).

An app, before obtaining any authorization, must make an explicit request to the user. It is you, therefore, who decide

Once one of these permissions is granted, the app can obtain that particular information and upload it to the cloud without asking for permission every time and regardless of the purpose for which it uses it.

For this reason, we recommend that you always think carefully before granting a permission to an app, especially when those permissions are not required for the application to function. For example, most games certainly don’t need access to your contacts or camera, messaging apps don’t have to know your location, and the coolest camera filters can survive without having access to your camera history. your calls.

The decision is always up to you, but keep in mind that by granting as few permissions as possible, your data will be safer.

SMS

What it is: authorization to send and receive SMS, MMS and push messages via WAP, as well as the ability to view messages on the smartphone’s memory.

Danger: an app with these permissions can read all saved SMS messages, including disposable codes for online banking and transaction confirmation.

In addition, the app can send spam messages in your name (and at your expense) to the entire address book or subscribe to “premium” services.

Where it is configured: Settings -> Apps and notifications -> App permissions -> SMS

Calendar

What it is: Permission to view, delete, edit and add calendar events.

Danger: prying eyes may find out what you have done or what your commitments are in the near future. Spyware loves this kind of permissions.

Where it is configured: Settings -> Apps and notifications -> App permissions -> Calendar

Camera

What it is: Permission to access the camera to take photos or record videos.

Danger: Apps with this permission can take a photo or record a video at any time and without notice . If cybercriminals manage to get hold of embarrassing or disliking images, they can make your life impossible.

Where it is configured: Settings -> Apps and notifications -> App permissions -> Camera

Contacts

What it is: permission to read, edit and add data to contacts in the address book and to access the list of accounts saved on the smartphone.

Danger: With this permission, an app can send your address book to its server. There are services that, although legitimate, abuse this authorization, not to mention scammers and spammers , for which it is a real godsend.

This permission also allows you to access the list of app accounts on your device, including Google, Facebook, and other service accounts.

Where it is configured: Settings -> Apps and notifications -> App permissions -> Contacts

Geolocation

What it is: Location access, approximate (which is based on data obtained from the network and Wi-Fi access points) or exact (which is based on GPS and GLONASS data).

Danger: the app can track every movement of the user.

Thanks to this information, you will soon know where the owner of the device lives (night location), where he works (day location) and many other important data.

Even when you don’t care that someone can control your movements, there is another detail to consider. Geolocation is the most battery-consuming feature of all. The fewer apps that have access to your constant location, the longer your battery life will be throughout the day.

Where it is configured: Settings -> Apps and notifications -> App permissions -> Location

Microphone

What it is: Authorization to record through the smartphone’s built-in microphones.

Danger: With this permission, apps can record any sound in the vicinity of the phone, such as your calls or face-to-face conversations with another person.

Where it is configured: Settings -> Apps and notifications -> App permissions -> Microphone

Body sensors

What it is: access to data obtained from sensors created to record certain health parameters, such as the sensor for detecting the heartbeat.

Danger: apps that monitor your vital functions can exploit the data obtained from sensors (an example is fitness bracelets). This category does not include motion sensors integrated into the smartphone. This data can be used, for example, by some companies to evaluate the costs of health insurance.

Where it’s configured: Settings -> Apps and notifications -> App permissions -> Body sensors

Archiving

What it is: ability to read and write files on the shared memory of the smartphone. On Android each app has its own small memory space to which only the app itself has access. All apps that have the relevant authorization can access the remaining space.

Danger: thanks to this permission, an app can browse all your files, for example displaying all your photos (including those from holidays that you don’t want anyone to see ) and then transfer them to servers. Or the app can encrypt the data to demand a ransom.

We are talking about a very dangerous permission because many apps use shared memory for temporary storage of add-on modules or for updates downloaded from the Internet, all of which are vulnerable to infection by malicious apps. In this case we are talking about a Man-in-the-Disk attack .

Where it is configured: Settings -> Apps and notifications -> App permissions -> Storage

Phone

What it is: Permission to view and edit the call log, get your phone number, cellular network data and outgoing call status. In addition, the app can add voicemail messages, have access to telephony services via IP, view the numbers called with the ability to end the call or switch it to another number and, finally, call any other phone number.

Danger: With this permission, an app can do pretty much anything with your voice calls. The app can trace who you called and when or even prevent you from making calls (in general or to a particular number) by hanging up without your consent. The app can also listen to your conversations and, of course, make all calls at your expense, including to numbers with particularly high rates.

Where it is configured: Settings -> Apps and notifications -> App permissions -> Phone

Special access to apps: list and permissions

In the section we have just described you will find the permissions of the apps that allow access to personal data. But there is another list of permissions to access various Android features; in the hands of malicious apps, these permissions can cause significant damage, so they must be granted with full knowledge of the facts.

Such permissions are found in the maze of the settings and identifying them is not at all intuitive; to understand how they are used and their consequences, the user must be familiar with the world of Android and mobile malware. Don’t worry, we are there to explain everything to you clearly.

Battery optimization

What it is: the new versions of Android limit (and greatly) the ability of apps to operate in the background, especially to avoid excessive battery consumption. Essentially, developers whose apps require background operations (music players, fitness apps, not to mention antiviruses) must gain access to these kinds of operations, which invalidates the battery optimization options.

Danger: even spyware apps, for example, would like to operate in the background to monitor user movements. This is why it is an authorization to be handled with care, periodically checking the list of applications that have the possibility to operate freely in the background.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special access to apps -> Battery optimization -> Without optimization .

Device administration app

What it is: With this permission, apps can employ remote administration capabilities. This feature set was originally designed to help corporate IT services remotely configure employee smartphones (directly from the workplace), without requiring physical access to devices.

Danger: First, this permission allows an app to change your smartphone password, lock the screen, turn off the camera, and even erase all data. Secondly, it is difficult to delete an app with a similar level of authorization, which is why malware goes to great lengths to obtain it and “settle” in the system. In short, this kind of authorization can only be granted if you are 100% sure that the app requesting it has nothing to hide.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special app access -> Device administration app

Do not disturb access

What It Is: Newer versions of Android have Do Not Disturb functionality with a number of settings, such as turning off calls, messages, vibrate, and pop-up notifications. This mode can be programmed, exceptions can be set (on all or only on some contacts) so that the mode is not applied to certain calls or certain messages. This permission allows an app to change the settings of this mode.

Danger: A malicious app can activate Do Not Disturb mode and prevent the owner of the smartphone from receiving important messages or calls (for example, a call from the bank relating to a particularly suspicious transaction).

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special app access -> Do not disturb access

Show above other apps

What it is: With this permission, an app can show its windows overlapping those of other apps.

Danger: Malicious apps can hide important warnings from the user, or overlay fake screens where the smartphone owner will type in their credit card numbers or passwords, thinking they are using a legitimate app. This authorization is one of the two key elements for a Cloak & Dagger attack .

Furthermore, this permission is used extensively by adware to show advertisements more effectively and also by blockers, ransomware that superimpose its window on the phone interface and demand a ransom to get everything back to normal.

In short, most apps shouldn’t be granted this kind of permission.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special app access -> Show above other apps

VR helper services

What it is: This permission allows apps to access other apps or augmented reality devices, as well as the ability for the app to run in the background even when the user is using virtual reality apps.

Danger: Beyond giving apps the ability to run in the background, which is much appreciated by malware, this type of permission doesn’t seem very dangerous in itself. In any case, it is better that the apps have nothing to do with virtual reality, just to avoid probable headaches.

Where it is configured: Settings -> Apps & Notifications -> Advanced -> Special App Access -> VR Helper Services

Change system settings

What it is: Android has two types of system settings, one common and one global . All riskier settings have been moved to the second category, while in the first you will find secondary options like changing brightness or volume. Permissions to modify system settings allow apps to modify settings belonging to the common and not global category.

Danger: It seems quite risky, but instead it is a fairly harmless kind of authorization, as there is nothing really dangerous that you can change between the settings.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special app access -> Change system settings

Access to notifications

What it is: authorization to manage notifications. For example, Google Wear needs to send notifications to the smartwatch. This permission also serves the Android home app to show pop-up notifications on the desktop next to app icons.

Danger: A lot of confidential information (SMS, instant messages etc.) is shown through notifications. If a spyware app or banking Trojan manages to sneak in, it may learn of information that should remain private. This is an authorization that must not be given lightly.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special access to apps -> Access to notifications

Picture in picture

What it is: Android allows apps to play videos in Picture In Picture (PIP) mode, which is when a small window appears in the right corner of the screen while other apps are open.

Danger: Same situation as Show above other apps . For example, a malicious app can use this permission to hide an important notice and adware to show advertisements. Authorization to be granted only if you are totally sure.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special access to apps -> Picture-in-picture

Access to premium SMS

What it is: </b> Google has a list of premium SMS numbers in various countries worldwide. If an app tries to send an SMS to a number from this list, the system asks for the user’s permission.

Danger: Whole families of malware earn a hefty nest egg by signing users up for premium SMS services. We don’t know how detailed Google’s list is, but it should keep the most common Trojans at bay.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special app access -> Premium SMS access

Unlimited data

What it is: to save data and battery consumption, Android allows you to decide which apps can use background data transfer (each app must be set individually, there is no single box to tick).

In addition, Android has Data Saver mode ( Settings> Networks and Internet> Data usage> Data saver ). When this mode is enabled, background data transfer is disabled for most apps. If an app wants to continue with the data transfer when the Data Saver option is enabled, it must request an authorization.

Danger: background data transfer even in Data Saver mode is usually requested by apps that are used to communicate (instant messages, e-mail clients, social networks), so that messages can be delivered immediately.

If that permission is requested by an app that doesn’t fall into these categories, it could possibly be used to spy on you.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special access to apps -> Unlimited data

Access to usage data

What it is: thanks to this permission, apps can access the metadata of your device (for example, which apps you use and how often, who is your operator, what is the language set on your phone, etc.).

Danger: apps do not obtain private information , but certain “indirect” data about the use of the smartphone can be used to create a unique fingerprint, to be used to spy on users.

In addition, banking Trojans use this feature to know which apps are in use at that precise moment in order to overlay their own phishing screen (such as the app of the bank you are a customer of).

Where it is configured: Settings -> Apps and notifications -> Advanced -> Special access to apps -> Access to usage data

Install unknown apps

What it is: It’s pretty much the same as the Install from Unknown Sources permission found in previous versions of Android. Before, however, it was all packed into a single box, while on Android 8 we have more complex settings. Now a single app can request permission to install other apps and the user decides whether to consent or block. For example, you could only grant permission to a file manager (this is not recommended, however).

Danger: Sometimes malicious apps can also be found on Google Play. As you can imagine, the situation is even more insidious if we talk about sources whose reliability we do not know. We therefore recommend that you block the installation of unknown apps for all apps on your smartphone, especially when it comes to browsers, to protect yourself from automatic download and installation of malware from hacked sites.

If you really need to install an app that does not come from an official store (think about it anyway, always), don’t forget to reactivate the block immediately after installing the app in question.

Permissions configured individually

In addition to the App permissions and Special app access settings , on Android 8 there are many important permissions to take into account and which, if not set correctly, can be really dangerous for the user, perhaps more than those described in the first two sections. It is essential that they are only granted to trusted apps.  

Accessibility

What it is: Powerful set of features originally created to make life easier for users with visual impairments. For example, thanks to this section, an app reads aloud everything on the screen and, vice versa, thanks to voice commands you can navigate in the graphical interface.

Danger: This feature set causes an app to have access to what happens in other apps, violating the isolation principle behind Android.

A malicious app can take advantage of the Accessibility section to control what the user is doing and manage the graphical interface at will (it can literally click on any option). We also talk about changing settings, confirming actions or even buying apps on Google Play. This feature set forms one of the two key elements for a Cloak & Dagger attachment .

Where it is configured: Settings -> Accessibility .

Asking for Accessibility permissions isn’t always synonymous with malicious activity, some apps have a good reason for doing so. For example, mobile antivirus need this permission to identify suspicious behavior from other apps before it’s too late. In general, however, before granting an app the necessary permissions for the Accessibility section, it is better to think carefully because the consequences could be really unpleasant.

Default apps

What it is: It’s another list of permissions that is a separate section and deserves due attention. Android offers a number of default apps that perform basic functions:

  • Voice assistance and input: default app for voice commands, such as Google Assistant;
  • Browser app: app for viewing web pages;
  • Home app (also called launcher): graphical shell for managing the desktop app menu, widgets etc;
  • Phone app: app for making calls;
  • SMS app: for everything SMS related.

For an app to become the default, it must request and obtain this type of permission.

Danger: Many banking Trojans would go to great lengths to become a default SMS app, as they could hide bank withdrawal notifications and steal disposable confirmation codes.

This trick is used by cybercriminals and perfected on most banking Trojans. The unpleasant consequences resulting from the inappropriate use of default apps can be varied and we advise you to think very carefully before granting such an authorization.

Where it is configured: Settings -> Apps and notifications -> Advanced -> Default apps.

What it is: A superuser (or superuser ) is a kind of superhero with superpowers that, when accompanied by the right skills, allow you to bypass all the various security mechanisms of Android, being able to do practically anything with the operating system. On a smartphone with superuser permissions you can change all settings, access any file (including system files), delete or install any app and from any source, install firmware etc etc.

Danger: it is not just the user who gets the superpower of root permissions, but any app installed on the smartphone. And apps can take advantage of this status to steal the data on the smartphone, engage in spying and many other malicious activities.

All the permissions analyzed up to now allow you to get access to certain data or some features of the Android operating system; root permissions, on the other hand, guarantee access to data and features that should never be shared, not to mention that an app with this type of access can configure all other permissions to its liking.

Think about it, therefore, before proceeding to rooting your smartphone. If malware that can use root permissions sneaks into your system, the consequences can be even more catastrophic than an unrooted Android device. 

And even when you haven’t dedicated yourself to rooting your smartphone, someone may have done it at your expense. For example, when spyware apps are installed on the victim’s device, spyware developers recommend or even require root permissions in advance. 

Where it is configured: superuser permissions are not acquired through standard Android features and there are no dedicated configurations in the operating system. Also, it is not possible to know if your phone has been rooted using standard operating system tools. Instead, you can use one of the various apps created specifically for verifying rooting (always choose carefully).

If upon verification it emerges that the smartphone has been rooted (and you did not do it), there is a smell of burning. Perhaps you have inadvertently downloaded a Trojan, or someone may have installed a spyware app to control you. In this case, we recommend that you save your personal files somewhere else and get rid of root access – there are various methods that work on different types of phones.

How to configure app permissions

On Android, there are many ways to configure app permissions. First, the apps themselves ask for corresponding permissions when they need to use a particular feature, and you can decide whether to grant them or refuse them. On Android 8, such requests look like this:

Second, you can use permission groups to find out about all the apps that have requested, may require, or may have received a particular permission. If you see something suspicious in the granted permissions, you can cancel them immediately. In the course of this article we have talked specifically about each authorization.

A third option is to check what permissions each individual app has and what it may require permission for in the future. Also in this case, you can revoke the permissions already granted at any time if something does not fit you; be prepared for the eventuality that something in the app doesn’t work exactly as it did before.

In any case, the settings of Android 8 have a convenient search system thanks to which you can find a specific setting in the menu (if you know what it’s called); you can go back to the app settings pages by searching for the name of the app itself.

Conclusions

As we have seen, with Android 8 you can easily and flexibly configure different phone settings to protect your most valuable information. In addition, it will prevent malicious or data-hungry apps from accessing the most sensitive operating system features. In any case, flexibility and ease aside, always think about the consequences that could derive from granting certain permissions and do not be afraid to deny access if something does not fit you.

In many cases, apps require permissions for features they don’t really need. Don’t worry if you say no, nothing bad will happen.

“I want your clothes, boots and motorcycle”.

Related posts

Keys to Successful Evaluation of How Well Your Portfolio is Performing

Suruchi Pandey

Are You A Politically Exposed Person?

Suruchi Pandey

7 Indications You Might be Undateable

skipperoo1

Leave a Comment