[Q] Permissions manager?

rogier666 · 16th April 2011, 03:59 AM

[Q] Permissions manager?

Some apps ask for more permissions than I want to give them.

With DroidWall I can take internet permissions away from individual apps, which is great for all those app that demand internet access even though they work fine without it. But what if I want to remove other permissions, such as access to my location or my contacts?

There is a manual way to edit unwanted permissions out of .apk files, but this method is not meant for human consumption.

Q: Is there an app that lets me allow/deny permissions per app?

kevin@TeslaCoil · 16th April 2011, 05:26 AM

It is not possible and is a very bad idea to do by modifying the APK.

I agree it'd be cool if Android was implemented to allow optional permissions. I hate adding permissions to my apps because I know some users don't want to give them. But Android is not designed this way.

Here's how I and just about every other developer would do something like make use of the READ_PHONE_STATE permissions to read your IMEI:

Code:

 TelephonyManager tm = (TelephonyManager) context.getSystemService(Context.TELEPHONY_SERVICE);
String deviceId = tm.getDeviceId();

Without the READ_PHONE_STATE permission, the above could would do this:

It's possible for developers to write their code to handle not having a permission they expect to have:

Code:

 
String deviceId;
try { TelephonyManager tm = (TelephonyManager) context.getSystemService(Context.TELEPHONY_SERVICE);
deviceId = tm.getDeviceId();
} catch (SecurityException ex) {
deviceId = "1234";
}

However no app dev does this. And unless a future version of Android itself were to allow this, it's unlikely app devs would take the time to test and update their apps to gracefully degrade when the user has used some hacky method to restrict the app. (I wouldn't. I have to do enough testing already just supporting all the manufacture skins and custom roms.)

If you question a permission you should ask the dev. And if you don't like the answer, or don't trust the dev, you should avoid the app.

(DroidWall doesn't remove the INTERNET permission, it just firewalls off the app from using the internet. Looks like a network connection issue to the app, which already has to be handle gracefully.)

rogier666 · 06:18 AM

DroidWall tells the apps it blocks that there is no live internet connection, even though the connection is alive and kicking for every other app. AdBlock works in a similar way: it doesn't deny apps from calling their banner farm, it just keeps it out of reach by redirecting the request to 127.0.0.1.

There are many ways to make apps believe they've got permissions that they don't really have.

For example, a permissions manager could spoof an empty contacts list for apps that want to read your phone book. Apps that want to know where you are for no good reason would only have to be fed some random coordinates instead of getting your real location.

Maybe Android was not designed that way, but one of the advantages of an open system is that you can make it do things beyond the original specs. If we root our phones and install custom ROMs to get rid of unwanted bloatware, why not apply similar techniques to get rid of unwanted app permissions?

Of course you could simply avoid apps that ask for too many permissions (but only if suitable alternative apps are available), but such a sledgehammer approach wouldn't be necessary with a permissions manager that gives you more subtle tools to tame your apps. This way you can have the best of both worlds: remove undesired permissions without throwing out the entire app.

SAI Peregrinus · 16th April 2011, 07:43 AM

It's been done in the lab, hopefully they release source. The paper is a pretty good read, and not overly verbose.
Can't post links, don't want to spam 8 posts for it, so Google for "Taming Information-Stealing Smartphone Applications". The paper is from NCSU.

rogier666 · 16th April 2011, 08:52 PM

Exactly what I'm looking for. Let's hope it hits the market soon!

The long version (in pdf format): http://www.csc.ncsu.edu/faculty/jiang/pubs/TRUST11.pdf

The short version: http://insciences.org/article.php?article_id=10052

Even shorter: http://apps.findingthis.com/utilitie...-applications/

Screenshot:

rogier666 · 5th May 2011, 04:55 AM

Permissions manager for rooted phones from the author of Busybox: Permissions Denied.

aweaver33 · 5th May 2011, 05:29 AM

Unfortunately, it looks like Permissions Denied actually denies permissions rather than spoofing them, so I would expect most apps to crash as mentioned by kevin. The spoofing approach in the NCSU papers seems like the more robust approach unless and until Google implements optional permissions, at which point app developers would hopefully start adding graceful permission exception handlers.

Sent from my Dinc via XDA app.

krzych · 19th October 2011, 03:25 PM

This is really the worst "feature" of Android. Someone should fix it really fast even creating a "shadow" distro with patched permission manager (if it cannot be done as an add-on).

Is anything new in this topic around?