Google changes its policy permits Android and incurs a large security flaw

As a general rule, I always try to give Rooting practical information on your Android terminal, either by developments that occur within the community to alert you about potential security problems. Today is one of those days when we publish an article to alert you: Google launched a new version of the Play Store , among other things, allows the use of PayPal to buy applications and simplifies the permissions shown to users .

So far so good, but this change is hidden under something more sinister . The Android permissions system that served to protect users has been lowered slightly and silently by Google in updating its app store. Before, when an application needed additional permissions, users were notified and had to accept the changes before it could be installed. This continued when automatic updates are introduced, as they had changed permission needed for manual approval.

This system worked quite well, but with the last change in the Google Play Store users are not notified of changes in the permit , unless this results in the addition of new permits to a new group, and the breadth thereof which comprises a group, this leaves Android with only 13 different types of permission. This means that an app could automatically updated in the future, and give itself access to more access permissions within a without the user knowing it came to group.

Google also decided that users had no way of knowing if the application needed to access the Internet , so this permission now lurks beneath another, or put another way, we will not know. The reasoning of the Mountain View is that like most apps access the Internet, why bother to go warn the user? And interestingly, one of the guidelines to follow to protect your privacy is to prevent access to the Network applications that request. In short, Google has made ​​a very big mistake that has compromised the safety of users of Android.

What users can do about this?

For now, the best you can do is turn off automatic updates for your applications and carefully reviewing the permissions request . You might even consider using a module Xposed Framework -X privacy - limiting requesting permissions each app .

To give you an idea of the seriousness of the matter, a user on Reddit created a thread which shows that an application with a few permissions may be a back door to your device . The application that created these permissions requested:

 android.permission.GET_TOP_ACTIVITY_INFO 
 android.permission.GET_ACCOUNTS 
 android.permission.ACCESS_COARSE_LOCATION 
 android.permission.WRITE_CALL_LOG 
 android.permission.READ_EXTERNAL_STORAGE 
 android.permission.SUBSCRIBED_FEEDS_WRITE

And with these few applications were able to be updated to allow the following additional permissions , none of which it was notified to the user:

 android.permission.READ_HISTORY_BOOKMARKS 
 android.permission.READ_PHONE_STATE 
 android.permission.ACCESS_FINE_LOCATION
 android.permission.ACCESS_LOCATION_EXTRA_COMMANDS 
 android.permission.READ_SMS
 android.permission.RECEIVE_MMS 
 android.permission.RECEIVE_SMS 
 android.permission.SEND_SMS 
 android.permission.WRITE_SMS 
 android.permission.WRITE_EXTERNAL_STORAGE 
 android.permission.MOUNT_FORMAT_FILESYSTEMS 
 android.permission.MOUNT_UNMOUNT_FILESYSTEMS 
 android.permission.SUBSCRIBED_FEEDS_READ 

That's it. An application with a few standard permits could, with a little update that does not notify the user, monitor and store your browsing data, index your IMEI number and other niceties as, for example, you tracked by GPS in real time.

This is not a plot of a science fiction movie, this is something that could be done today , in your terminal, and you do not even have to know. What was Google thinking?

Where this road leads?

For starters, Google is making a terrible mistake on privacy . Apple, however, and oddly enough, has included some interesting action on the issue in iOS 8. Doing a long story short, these new measures will prevent you trace an Apple device while looking for WiFi networks, among other things .

Now that it is already clear that the market is moving towards greater control by the user, may be necessary to redesign the simplification of permit applications that has made ​​Google so that it is clearer what they are allowing. It also should be possible to ensure and deny permissions in real time , but it is clear that this only happens in utopias or custom ROM's like Cyanogen-mod .

We recommend checking out the thread which has been opened in Reddit about it, because the user has carried out this experiment has shown fairly blatant way that Google has made ​​a very serious mistake . I repeat the question I asked before: ? What I was thinking Google when implemented these changes it may be time to think about saying goodbye to Google Apps and search for alternatives that best preserve privacy at the same time allow better control of your own data.