Tabular array of Contents: ______________________________
Intro
Background nearly Android
Types of Dangerous Programs
How to Protect Yourself
The community
Anti-virus
Permissions
______________________________
Intro
This guide aims to provide the basic info most people want to know near the security of their phones, and when to download, and when non to download applications from the Android Market.
It'southward my promise that this volition help people make more than informed decisions and be safe virtually their application usage, privacy, and information. It is my firm belief that Android is a fundamentally safe platform. With some common sense, diligence, and the correct noesis of the potential threats, users can rest assured and relish their devices more thoroughly.
While most of these tips will employ to any of the new app stores and markets at present available for Android, this guide is written specifically for Google's original Android Marketplace.
Besides, while this guide attempts to be as comprehensive as possible, there may be errors or misjudgments, or only opinions that are subjective. Please read it with the idea in mind that information technology's but a part of the information you may want to consider when downloading your apps.
Deciding what to download is ultimately up to you, and that's the most important affair you'll need to remember.
______________________________
Notation: As of ii/21/2010 I became an Android developer. I wanted to postal service this in the interest of full disclosure. Yous can read more than about me, or my apps (Listables and BlueMuze),on my site: Lost Parcel Software
Printer friendly & downloadable PDF: Lost Parcel Software
App version w/ permission search: PocketPermissions
______________________________
Groundwork
This guide aims to provide the bones info nearly people want to know about the security of their phones, and when to download, and when not to download applications from the Android Market.
It'southward my hope that this will help people make more informed decisions and be safe about their application usage, privacy, and data. Information technology is my business firm belief that Android is a fundamentally safe platform. With some common sense, diligence, and the right knowledge of the potential threats, users tin can balance bodacious and savour their devices more than thoroughly.
While near of these tips will apply to whatever of the new app stores and markets now bachelor for Android, this guide is written specifically for Google's original Android Market.
Also, while this guide attempts to be as comprehensive as possible, there may be errors or misjudgments, or merely opinions that are subjective. Please read it with the idea in mind that it'southward just a office of the data yous may want to consider when downloading your apps. Deciding what to download is ultimately up to you, and that's the most of import thing yous'll demand to retrieve.
I am also an Android developer. I wanted to write this in the interest of full disclosure. You can read more near me or my apps (Listables and BlueMuze) on my site: http://alostpacket.com/
You can also contact me through the Market or my website with any thoughts you take on this guide.
Background about Android
The commencement thing when understanding the security of your phone is to know a little bit about what makes it tick. Android is a 'calorie-free' version of Linux with most applications that you download from the marketplace written in Coffee.
This is important to know because it means Android is very unlikely to ever get a 'virus' in the traditional sense. Function of the reason is because Linux is a fairly secure operating arrangement that protects various parts of itself from other parts. This is similar to how Windows has admin accounts and express user accounts. Because of this protection, applications downloaded from the marketplace practise not accept access to anything by default. Y'all must grant them permission for each action they want to perform when they are installed. This is a very important point which we volition address a chip later. Too due to some bad choices by Google, in that location are a few exceptions to this rule that we'll talk nearly in the permissions section.
Nevertheless, while Android is very unlikely to get a 'virus', that does not mean you are completely safe from 'malware', 'spyware', or other harmful types of programs.
Anti-virus
The efficacy of anti-virus apps on Android is a controversial subject on even the best of days. Needless to say, there are some very differing opinions on the necessity of having anti-virus software protecting your telephone. Both sides of this contend accept some credible and respectable reasons for their choice, so I will try and nowadays both sides as objectively every bit I can. In total disclosure though, I personally do not use anti-virus on my phone. That'south a personal choice I fabricated. Plenty of security experts whom I respect practise chose to use anti-virus on their phones. And then ultimately this volition be a selection that is yours alone to make and non something where you should take cues from other people. That said, here are the pros and cons of each side as best as I know them.
I thing to remember though, is that each side may accept some irrational or sensational arguments. These stem from either a sense of emotional justification or a vested interest in selling software. Put merely, neither side of the debate is above bad arguments and unintentional or intentional faulty logic.
Benefits
- Will protect yous from all past threats
- May protect you from a time to come threat
- Often tin have additional features for privacy and data protection
- May have features to protect your telephone if it is lost or stolen
Drawbacks
- May waste matter organization resources similar bombardment and memory
- It'south difficult to protect from time to come/unknown threats
- Can potentially cause serious harm to the Bone (very rare merely not unheard of)
- May provide a false sense of security and encourage risky behavior
Types of Dangerous Programs
The most common threats from Android applications are:
1) When the app tricks the user into giving it permissions it does not need to do its job.
2) When the app hides malicious code behind legitimate permissions.
3) When the app tricks the user into entering in personal information or sensitive information (such as a credit card number).
There are various means malicious developers (also known equally hackers or crackers) accomplish this. We'll briefly ascertain each kind just to have a common agreement of the terms.
Malware
Malware more often than not is an all-encompassing term used to depict any harmful program. This includes spyware, viruses, and phishing scams. Sometimes the older term 'virus' is used in this context, but malware is now considered more than authentic.
Spyware
Spyware is used to draw software or applications that read your information and data without you really knowing it and reporting information technology dorsum to some unknown third party for nefarious purposes. Oftentimes this includes keystroke loggers to steal passwords or credit card information. Some people include certain types of Advertising tracking in this category (sometimes called Adware, see below). Nonetheless that's a much larger debate we wont comprehend here.
Phishing
Phishing and spyware are closely related. They work on a similar principle: tricking the user and sending user information to a third political party to steal it. The divergence with phishing withal, is that the application (or website) will pretend to be from a trusted source to effort and 'trick' y'all into entering in your details. Contrastingly, spyware would try to hide itself from being known to the user. One way to retrieve nearly the difference is that phishing is masquerading while spyware is hiding, but the end goal of stealing your data is the aforementioned. An example of this would be an app or website pretending to be affiliated with your banking company or Paypal or your e-mail provider (Gmail, Hotmail, Yahoo). However it can, and does, include any service where someone might desire to steal your identity or countersign.
At that place have been known successful phishing attacks related to at to the lowest degree one bank on Android.
Virus
The definition of virus used to exist more extensive. These days that term has been replaced by malware. Virus is more typically used to describe a specific blazon of software that takes command of your operating organisation and either damages it, or uses it for its ain purposes. An example might be when a virus sends emails to everyone in your email address volume. Again this is the type of program least likely to be a problem for Android.
Trojan Horse
A trojan equus caballus is really simply a specific blazon of virus. It simply refers to the idea that the app pretends to be something useful or helpful or fun for the user while actually causing harm or stealing data. This term is often used to draw spyware and phishing attacks every bit well.
Adware
Adware is typically a fleck of a grey surface area. Sometimes this is also chosen nuisance-ware. This type of awarding volition often show the users an excessive amount of advertising in return for providing a service of dubious quality to the user. However, this type of program tin often be dislocated with legitimate advertising-supported software, which shows a mild to moderate corporeality of advertizing while providing a useful service that the user wants. Because it tin be hard to tell the deviation, in that location exists a grey expanse from most anti-virus companies as to how to handle adware.
Warez
This is a term you'll sometimes hear referring to 'pirated' or unlicensed software. Oft warez forums and web sites will offering "free apps" or "apks" (Android Package).
Don't be fooled by these sites, and exercise Non download these files and load them to your phone. These files are stolen from the real developers by unscrupulous people who accept no regard for the work put into apps by the developers, or the law. Often they will fifty-fifty try making money off of the advertising on their "warez" forums. They are profiteers that practise the entire Android community a great disservice, and hurt the developers. Furthermore, this is very often the near pop 'vector' (method) of attack that malware writers use. Some become equally far as stealing apps and putting them on the Android Market itself nether different names.
If you are a user who cannot access the paid Android Marketplace, there are alternatives these days. The virtually trustworthy markets (in my opinion) are the post-obit:
- Android (Google) Market
- Amazon AppStore
- SlideMe
- Archos AppsLib
- AndAppStore (perhaps)
- Verizon's Marketplace (not sure if this is alive yet)
- Motorola'south Market place (not sure if alive or where, might exist focused on Latin America)
Other than these markets, I would not advise anyone to download and install an app from anywhere else.
However at that place are a few exceptions related to open source. These are places that contained developers tin upload costless and/or open source apps. They don't guarantee your safety (nothing does) but they are not warez sites and are much more probable to be safe.
Open source or complimentary apps: (very probable safety, not warez)
- XDA Developers
- Googlecode
- GitHub
How to check Permissions
When you install an awarding the Market volition tell you all of the permissions information technology needs to role. These are important to read. Permissions can give you an idea if an application is request for more than than information technology needs to function properly. While some legitimate apps often inquire for more than permissions than they need, it should at to the lowest degree raise an eyebrow. Once again this is simply part of what you should consider when deciding if an application is safe and practiced quality.
Note: in the latest version of the phone version of the Android Market the permissions are only shown afterward you click install. You will then be shown a screen with the list of permissions and an "Have and Download" button.
To see the permission given to an application later installation follow these steps:
one) Go to you phone'southward settings
2) And so select "Applications" or "Manage Applications"iii) From at that place you should exist able to become to an Application's specific settings. You should run into buttons similar "clear data." To meet the permission you may demand to curl downward a bit
How to Protect Yourself
There are no total-proof ways to avert all bad situations in the world.Only, any sane person with a reasonable head on their shoulders knowsthat a few good habits can keep y'all safe for a long, long time inwhatever you do. Here are a few tips I have learned from many years as aprofessional software developer and from reading many Android forumsthat have many people smarter and more knowledgeable than I aboutAndroid.
Read the comments in the Marketplace
This should become without saying. Earlier you download whatever applications, besure to read the comments. Don't merely read the starting time three either, clickthrough and come across what people are saying. This tin also help youunderstand how well an app works on your item telephone (and yourparticular version of Android). Comments should too be read EVERY timeyou update an app.
It'southward too of import to notation that bad apps tin can sometimes"game" the comments and ratings. There are some unsavoryservices that provide thousands of fake comments for apps and they areprobably more mutual than you think. See the department on TheCommunity for more on identifying these types of faux comments.
Check the Rating
Any app that fails to maintain higher up 2.5 stars is likely not worth yourtime. If y'all are brave plenty to be one of the commencement few to download anapp, this does not apply to you. Nevertheless, about all good apps havebetween 3 and 5 stars. To me, this is simply a general rule to assistdetect quality apps.
Check the permissions
There are many things an app can practise to, and for, your phone. Butanything an app can practise is told to you when yous download and install it.Before you lot download and install an app, you volition exist shown a list ofpermissions the application is requesting. Read them. Attempt yourbest to understand them in terms of what the application is supposed todo for y'all. For example, if you download a game of checkers, and theMarket warns you that it wants to be able to read your contacts, youshould call back twice and probably not download it. There is no sanereason a game of checkers needs to know your friend's phone numbers.
In the Permissions section you can read a list of some of the mostcommonly used permissions. The listing explains how important they are,what they practise, and notes some examples of apps that might legitimatelyneed the permission. This should help you become a bones understanding ofwhat to allow, and when to skip, an app.
Check the developer's website
Brand certain the developer has a website and not just some web log. This isoften a good indication of quality as well as prophylactic. If the developercares nearly their app they will likely have a relatively nice lookingwebsite (or, if they are open up source, a site on Google Code or somethingsimilar). Note: sites on Google lawmaking are NOT verified or canonical byGoogle. However, open source is ordinarily (but not ever) morelikely to indicate a rubber application.
Notation: This is not a definitive indicator if a developer is good or bad,just one more piece of information you tin can use. At that place are a lot ofexceptions to this particular rule, equally a lot of good developers mightnot have anything more than than a blog, and a lot of bad developers couldjust point to a nice looking site they accept no amalgamation with.However, the developer'southward website can be helpful just as an extra pieceof data you tin can use in making your decision most the developeror app.
Updating applications is the same as installing them fresh
Each time you lot update an application on your telephone, you should utilize thesame diligence as if you were installing it for the first time. Rereadthe permissions to see that it is but asking for what it needs and nomore. Reread the comments to see if annihilation has changed in the opinionsof the users and to see if it still works for your telephone. If you seethat an application says Update (manual) next to information technology, that means thedeveloper has changed the permissions that they are requesting. This isnot necessarily a bad thing -- but information technology should indicate that yous shouldpay a flake closer attention to the permissions and re-evaluate them asneeded.
Privacy
Wi-Fi
One of the things to retrieve when trying to keep yourself safe is to be very conscientious with public Wi-Fi. Whenever you connect to the internet through a public Wi-Fi, you should never apply any website that requires a password to sign into. The danger here is because you have no idea who is connecting you to the website. A good illustration would be like trying to post a letter to your friend by giving information technology to a stranger in the street. For more info read: Human-in-the-centre set on(Wikipedia). In that location is also a adventure that applications may be transmitting information in the background over that Wi-Fi connection about you without encrypting it. This is besides true of any applications over any internet connection still. And while there are some proficient ways to secure your phone, I personally don't employ whatever public Wi-Fi at all. This may be seen every bit farthermost in some circles, just I believe it to be safest road (although somewhat limiting).
SD Cards
There isn't much to say virtually SD cards except that all users should call back that they are not a safe identify to store personal information. This can be something as simple as a backup/export of your contacts.
The reason the SD card is not prophylactic is that nearly all applications can read whatsoever file they want from the SD carte. Most personal info such as contacts is stored internally in protected databases however, then this shouldn't be a huge business concern for virtually people, but it'southward helpful to keep in mind.
GPS and Network Location
In that location is a lot of information online and in various books about why letting yourself be tracked has potential consequences. However, there are a lot of useful features that apps tin can provide with location tracking data. You should treat location tracking with care and exist certain to give it only to parties your trust. Google Maps would be a cracking example of this.
Ad and location tracking
In that location is a trade-off that some people will consider making with regards to location tracking. Some advertisers would like to have location information on you lot in order to show you local advertisements and coupons. In exchange, you get free employ of an app such as a game. This is a decision yous volition need to brand for yourself. I personally would not make this trade off, but some people very knowledgeable about security are very comfortable making information technology.
The community
If yous are even so unsure, enquire around -- the community is your anti-virus
If you encounter an app y'all desire, but it seems to be asking for more permissions than it should, or its comments and ratings are mediocre, become ahead and enquire around well-nigh the app. You will often find dozens of people who know the answers and another whole bunch wishing to know the answers to the same questions. Good places to ask include Android enthusiast web sites and forums.
I tin't stress this point enough. This is the best part about Android. The community is normally the first to identify any malware or unsafe programs, and is the best resource for finding quality apps.
Beware the Sockpuppets, Shills, and Spammers
However, similar annihilation, don't believe everything yous read. Someone who comes into a forum telling you an app is the "best" may be what'southward referred to as a sockpuppet or shill. I tend to be wary of people with depression mail service counts on forums, or who have unreasonably loftier praise for what seems to be a simple app, or anyone using the word "best" in a forced context.
Now these people are not all bad, some may just be excited, or not speak English language as their showtime linguistic communication. But it's common for sockpuppets to use the term "all-time" to try and become better search rankings on Google. Saying things similar "Best Android App" or "Best GPS."
Other tell-tale signs include when a spammer mentions software for iPhone or other platforms without whatever focus on Android in their post/comment. Another is when it seems like the mail is just out of context or overly general (recall about how horoscopes are made for everyone to chronicle to them). I oft get spam on my blog that says things like "best blog post! love your writing mode, you put things in perspective for me" which makes no sense when my blog was about my new app.
This is a fine line and very much a grey expanse. Sometimes it tin can be very hard to tell if someone is a spammer. If you run into a post or comment in the Market place or on a forum that y'all doubtable is spam, study it to the website or Market, don't reply and commencement an argument.
These tips also apply to the comments about apps. There are sometimes people who are paid to rate and comment nigh an app. The central to spotting this is again all nearly context. If an app has not been on the marketplace for very long and has thousands of great comments it should raise an eyebrow. If the comments are all general like "best app" that is another expert indicator. Once more information technology'due south hard to tell for sure, but you should always expect with a skeptical eye at comments. It'southward besides to be expected that the developer themselves (and maybe a handful of friends) would rate an app well, that'due south normal and not something to exist concerned about. Yet, when yous see an overwhelming number of questionable comments, you should tread carefully.
Posting your own comments
Afterwards y'all have downloaded an app you can mail your own comments. The annotate volition be visible to all other Android users only it volition only show your get-go name. To practise this go into the Marketplace and press [carte du jour] and then [downloads]. You lot should encounter v empty stars at the meridian which you can tap to charge per unit the app. Once yous take rated the app you should come across an option to add a comment nether the stars.
Existence a good user
While this guide is about security, I think it'southward important to bespeak out how to be a expert user too. Android is a customs and stems from open up source and will merely always be as good equally both its developers and its users.
So, if an app is crashing on you, try emailing the developer before uninstalling and posting an angry annotate. Anything you lot mail in the marketplace will stay even if you take uninstalled the app, and yous could do serious damage to a programmer's reputation if you mail very negative comments.
If you recollect the programmer just made a mistake, or didn't support your phone, work with them. If they are unhelpful, so yous tin can consider giving them a bad rating. This is specially truthful for free apps in the market place. Retrieve that you lot, as a user are not "entitled" to perfect gratis apps. Well-nigh developers do not have Google'due south engineering and QA team backing them up and even Google makes mistakes.
And while it'southward frustrating when things don't work, imagine how frustrating it is when you put long hours into something but make a mistake -- and then considering of that fault you can never fix the damage done by a rude commenter.
What does Google practice to protect us?
Unfortunately at the moment, not a lot. They do police the market place to a minor extent and investigate any reports of malware. Still, on at to the lowest degree 2 occasions they identified several instances of malware (chosen DroidDream) and remotely uninstalled the applications from users' phones. The was also an instance of a phishing app that pretended to be from a item banking concern and was removed when discovered.
Yet, the Market is non like the Apple App Shop or Amazon AppStore, there is no screening of applications earlier they are published. There are no callous procedures or lengthy approving processes that developers have to go through to publish applications. All that a developer needs to do is to 'digitally self sign' the application before posting it. This helps Google track whatever developers with ill intent, simply it's merely a fashion to manage malware after it is discovered.
permissions
When yous install an application the Market volition tell you all of the permissions it needs to function. These are important to read as information technology tin can give you an idea if the awarding is asking for permission to do more than it needs. While some legitimate apps often ask for more permission than they need, it should at least raise an eyebrow when deciding if an application is safe and of proficient quality.
Brand phone calls
Services that cost yous money
URI: android.permission.CALL_PHONE
Risk: Loftier
Protection level: Unsafe
Official Description
Allows an awarding to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed.
Details
This permission is of high importance. This could permit an application telephone call a 1-900 number and accuse you money. However, this is non as mutual a way to cheat people in today's world as it used to be. Legitimate applications that use this include: Google Voice and Google Maps.
Some other important point to note here is that any app can launch the telephone screen and pre-fill a number for you. Even so, in club to brand the call, you would demand to press [Transport] or [Call] yourself. The difference with this permission is that an app could make the unabridged process automatic and hidden.
Send SMS or MMS
Services that cost you lot coin
URI: android.permission.SEND_SMS
Take a chance: Loftier
Protection level: Unsafe
Official Description
Allows an application to send SMS messages.
Details
This permission is of loftier importance. This could allow an application send an SMS on your behalf, and much similar the telephone call permission, it could cost y'all money by sending SMS to for-pay numbers. Certain SMS numbers piece of work much like i-900 numbers and automatically accuse your phone company money when you ship them an SMS.
Modify/delete SD carte contents
Your personal information
URI: android.permission.WRITE_EXTERNAL_STORAGE
Take chances: MEDIUM
Protection level: Dangerous
Official Description
Allows an application to write to external storage
Details
This permission is of loftier importance. This will let applications to read, write, and delete annihilation stored on your phone's SD card. This includes pictures, videos, mp3s, documents and even data written to your SD carte du jour by other applications. However, there are many legitimate uses for this permission. Many people desire their applications to store data on the SD card, and whatever awarding that stores information on the SD card will need this permission. You lot volition take to use your ain judgment and be cautious with this permission knowing it is very powerful but very, very unremarkably used by legitimate applications. Applications that typically need this permission include (but are not limited to) camera applications, audio/video applications, document applications
Warning:Any app targeting Android 1.5 or beneath (peradventure ane.6 too) will exist granted this permission BY DEFAULT and you may not ever be warned about information technology. Information technology is important to pay attention to what version of Android an app is targeting to know if this permission is being granted. You can encounter this on the Market website in the right hand cavalcade.
Read Contacts
Development tools / Your personal info
URI: android.permission.READ_CONTACTS
Risk: MEDIUM-High
Protection level: Unsafe
Official Description
Allows an application to read the user'due south contacts data.
Details
This permission is of loftier importance. Unless an app explicitly states a specific feature that it would apply your contact list for, in that location isn't much of a reason to give an awarding this permission. Legitimate exceptions include typing or note taking applications, quick-dial type applications and possibly social networking apps. Some might require your contact information to help make suggestions to you every bit yous type. Typical applications that require this permission include: social networking apps, typing/note taking apps, SMS replacement apps, contact direction apps.
Write contact data
Development tools / Your personal info
URI: android.permission.WRITE_CONTACTS
Risk: MODERATE-HIGH
Protection level: DANGEROUS
Official Description
Allows an application to write (but not read) the user'south contacts data.
Details
This permission is of high importance. Unless an app explicitly states a specific feature that it would apply your contact list for, there isn't much of a reason to give an awarding this permission. Legitimate exceptions include typing or note taking applications, quick-dial type applications and possibly social networking apps. Some might crave your contact data to help make suggestions to you as you type. Typical applications that require this permission include: social networking apps, typing/note taking apps, SMS replacement apps, contact management apps.
Read calendar data
Development tools / Your personal info
URI: android.permission.READ_CALENDAR
Risk: MEDIUM
Protection level: Unsafe
Official Description
Allows an application to read the user'south agenda data.
Details
This permission is of moderate to high importance. While most people would consider their agenda information slightly less important than their listing of contacts and friends, this permission should nevertheless exist treated with care when assuasive applications access. Additionally, information technology'southward expert to keep in mind that calendar events can, and often do contain contact data.
Write calendar information
Development tools / Your personal info
URI: android.permission.WRITE_CALENDAR
Adventure: MEDIUM
Protection level: Dangerous
Official Clarification
Allows an application to write (only not read) the user'south agenda data.
Details
This permission is of moderate to high importance. While most people would consider their calendar information slightly less important than their list of contacts and friends, this permission should nonetheless be treated with care when allowing applications access. Additionally, it's good to keep in mind that calendar events can, and oft exercise incorporate contact information.
Read browser history & bookmarks
Development tools / Your personal info
URI: com.android.browser.permission.READ_HISTORY_BOOKMARKS
Gamble: MEDIUM-HIGH
Protection level: DANGEROUS
Official Description
Allows an awarding to read (but non write) the user's browsing history and bookmarks.
Details
This permission is of medium-high importance. Browsing habits are often tracked through regular computers, only with this permission you lot'd be giving admission to more than merely browsing habits. There are also legitimate uses for this permission such as apps that sync or backup your data, and peradventure certain social apps.
Write browser history & bookmarks
Development tools / Your personal info
URI: com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
Risk: MODERATE-HIGH
Protection level: DANGEROUS
Official Description
Allows an application to write (merely non read) the user's browsing history and bookmarks.
Details
This permission is of medium-loftier importance. Browsing habits are often tracked through regular computers, merely with this permission you'd be giving access to more than just browsing habits. At that place are too legitimate uses for this permission such as apps that sync or backup your data, and possibly certain social apps.
Read sensitive logs
Development tools / Your personal info
URI: android.permission.READ_LOGS
Risk: VERY-Loftier
Protection level: Evolution
Official Description
Allows an application to read the low-level system log files.
Details
This permission is of loftier importance. This allows the application to read what whatever other applications take logged.
(PERMISSIONS Connected IN NEXT Postal service)
content last updated: Oct 23, 2012
This guide by Lost Packet Software is licensed nether a Creative Eatables Attribution-No Derivative Works three.0 Usa License.
0 Response to "App Wants to Read or Write System Settings Meaning"
Publicar un comentario