F-Secure warns about Android permissions security risk

SECURITY FIRM F-Secure has warned that users granting permissions for advertising modules in Android apps can allow malicious activity.

The permissions that users give to Android application packages (APK) do not get split between the main modules and possible add-on modules. This means that users can be saying yes to dodgy activities on their devices without knowing it when installing an otherwise legitimate app.

In some cases the advertising module is the only part of the app to use the permissions that the user grants, probably without reading the ins and outs beforehand.

F-Secure said in a blog post, "Currently, Android apps don't differentiate between permissions used by the main app, and those used by the ad modules. And when it comes to security, that's still a grey area, both for users and analysts."

The firm gave the recent example of spyware called Adboo that was present in a clean app but collected confidential information, which it then sent to a remote server.

The problem lies in the fact that there is no way to give different levels of access to the main module and add-on modules. This is presumably because users would opt to block all adverts that come with apps. Nevertheless the security issue could be communicated more clearly before a user installs an app from the Android Market.

The blog goes on to say, "Wouldn't it be clearer to the user if the Permissions tab indicated how the permissions were used by both the main app and the ad module? Or better still, there was a separate permissions tab for the ad module?"

"This would give the user a clearer idea of what the main app/ad module will do, and they would be in a better position to choose whether they want to proceed with the installation."

This is not necessarily the app developer's fault either, as many of them do not control the types of ads used with their apps. µ