Google’s Android Permissions Get Granular

Google appears to be heeding warnings of security experts who say Android users need better control over what apps do with information from their phones.

At I/O, its worldwide shindig for developers held last week, the company announced that the next version of its mobile operating system, Android M, would take a more granular approach to permissions for data requested by apps.

Recent versions of Android allows applications to make a block of permission requests as they’re installed.

“Unlike iOS, where you have granular control over permissions, in Android, you’re all-in or you don’t have access to the application at all,” Bitdefender Senior E-Threat Analyst Bogdan Botezatu told TechNewsWorld.

That’s changing with Android M.

“With app permissions, we’re giving users meaningful choice and control over the data they care about,” said Dave Burke, vice president of engineering at Google, during a keynote address at the developers forum.

“You don’t have to agree to permissions that don’t make sense to you,” he added.

Paring Permissions Set

In addition to giving users more control over permissions, Google is reducing the permission set to make it simpler to understand. What’s more, instead of bogging users down with permissions as an app is installed, a permission will pop up when an app feature needs permission to complete a task.

Modifying permissions also has been improved in Android M. A user can go to Settings, choose an app, and modify its permissions from a list. A user also can go to a list of permissions, see which apps have access to them, and make modifications there, too.

For developers who design apps that are permission hogs, the new scheme will be a shocker, but conscientious developers will benefit from the change, according to Burke.

“One of the really nice side effects of the new permission model for app developers is it’s faster to get users up and running in your app,” he said.

“We also know that with the old permission model, that adding a new permission to your app can affect your update adoption,” he added. “With the new permission model, updates are seamless, because user involvement is deferred until right when it’s needed.”

The new permission scheme is an important improvement to Android, observed Bob O’Donnell, founder and chief analyst with Technalysis Research.

“People don’t know if a permission is needed when they install an app,” he told TechNewsWorld. “It will be better understood if it comes when they actually use the app.”

Dead App, Live Data

Concerns recently have been raised about security threats posed by dead, stale or zombie apps. Because a developer has thrown in the towel on those apps, they can be ripe targets for mischief.

If a vulnerability exists in an orphaned app, for example, it can be exploited without fear that it will be patched. There’s another problem such apps can present users, though, that’s not as obvious as vulnerability exploitation.

“What happens to the data collected by the app when it reaches its end of life?” asked Irfan Asrar, a senior research scientist with Appthority.

“When we did our study of dead apps and stale apps, a large majority of them didn’t cover what happens to the data collected from the app once it has been discontinued,” he told TechNewsWorld.

That could be a serious problem, especially among apps for wearable devices.

“The human body is a big data machine that’s pumping out data to a server somewhere,” Asrar said. “Once my app is dead, I still have access to that information, and I can do anything I want with it.”

While some shady app makers may misuse data before they sunset an app, they may still be held accountable by a user if a privacy policy exists.

However, “when the app is dead, none of that applies any more,” Asrar noted.

IRS Silver Lining

The FBI has undertaken an investigation of the hack attack the IRS disclosed last week. Identity thieves used credentials gathered from the four corners of cyberspace to waltz into IRS computers and traipse away with profiles of more than 100,000 taxpayers.

As shocking as news of the raid was, there may be a positive takeaway from the incident, according to Eva Velasquez, CEO of the Identity Theft Resource Center.

“The IRS breach could be viewed as a symptom of success. Thieves used sensitive PII obtained from other sources to access the My Transcript application in order to obtain very specific data on certain taxpayers,” she said.

“Thieves now have a need for more granular and accurate taxpayer data in order to thwart the fraud analytics the IRS now has in place,” Velasquez added. “The IRS is making it harder for thieves to commit this crime, and this could be a response to that increased difficulty.”

Breach Diary

• May 26. IRS reveals identity thieves used personal information of taxpayers to access some 104,000 personal profiles stored on the agency’s computers.
• May 27. U.S. District Court Judge Lyucy Koh OKs class-action lawsuits by users and nonusers of Yahoo Mail for violation of their privacy by scanning their email for information to be used in targeted advertising.
• May 27. Ponemon Institute and IBM release annual cost of data breach study finding that the average consolidated total cost of a data breach is US$3.8 million, a 23 percent increase since 2013.
• May 27. Florida Secretary of State’s office acknowledges it released names, birth dates and Social Security numbers of 13,000 disabled citizens in emails sent to former governor Jeb Bush, whose team posted the information to the Internet in the interest of transparency.
• May 28. Sally Beauty Holdings, based in Denton, Texas, announces PINs of an undisclosed number of customers were not compromised in data breach of it POS systems that lasted between March 6 and April 12, because those numbers weren’t stored on the retailer’s systems.
• May 29. A protest of Patriot Act renewal organized by Fight for the Future mobilizes 14,000 websites to block IP addresses from congressional offices, and to redirect traffic to a gallery of nude selfies posted to Web by activists.

Upcoming Security Events

• June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
• June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
• June 13. B-Sides Charlotte. Sheraton Charlotte Airport, 3315 Scott Futrell Dr. Charlotte, North Carolina. Free.
• June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
• June 16-18. AFCEA Defensive Cyber Operations Symposium. Baltimore Convention Center, Baltimore, Maryland. Registration: government-military, free; member, $575; nonmember, $695; small business, $445; other, $695.
• June 17. SecureWorld Portland. DoubleTree by Hilton. 1000 NE Multnomah, Portland, Oregon. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
• June 19-20. Suits and Spooks NYC. Soho House, New York City. Registration: $595.
• June 20. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd, Cleveland Heights, Ohio.
• July 3. B-Sides Lisbon. Forum Picoas, 40 Avenida Fontes Pereira De Melo, Lisbon, Portugal. Free.
• July 18. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free.
• August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
• August 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
• August 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
• Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
• Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
• Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.