I know going back is generally not the recommended direction of travel when it comes to privacy and security, and that movement encompasses both, but this going back is welcome. Not just in practical terms, I should add, but also in terms of perceptions.
Optics matter, and Apple knows it better than anyone after some recent decisions that have had a negative impact on how users perceive them as a privacy-focused company. Google, of course, still has a long way to go before it can catch up with Apple, even after hitting the CSAM bump on the road. But, being seen to be in the game is vital, and while still catching up with iOS, I’d say Google has given Android users something to be happy about. Some 2 billion of them, in fact.
Google emphasizes the intersection of privacy and security
The intersection between privacy and security is sharper than ever, and Google has decided to focus on both when it comes to Android app permissions. To be precise, what permissions you grant or deny an app when you first install it.
While seemingly a pure privacy issue, execute permissions are not also referred to as “dangerous” permissions for nothing. These are the permissions that Android prompts you to allow or deny when an app first attempts to access the camera, microphone, SMS messages, location sensors, contact lists, etc. . Many of them can seriously impact your security posture if this app has or changes over time to have malicious intent.
It is these changes over time that Google discusses here.
Last year, when Android 11 was released, Google introduced an auto-reset permissions feature that did what it said on the tin. If Android 11 detects that an app has not been used “for a few months,” it performs an automatic security rollback and resets those permissions to a default deny state, revoking any access the user had previously granted.
Ilia Koloshenko, founder of ImmuniWeb and member of Europol’s network of data protection experts, called it “a game changer for many unintentional Android users who mistakenly granted excessive permissions to mobile apps. who do not need it or even to malware “. Koloshenko warned that “several million” users of non-technical applications are tricked into granting such permissions to adware applications, for example, or installing malicious applications whose permissions can lead to total device compromise. . “The problem is particularly prevalent in less developed countries,” he said, “where mobile users use their devices for payments or other sensitive transactions.”
While being a cool feature, the problem with this is that of the over 3 billion Android devices, only the 750 million running Android 11 could benefit. However, that is about to change.
Google is playing catch up with Apple and itself
By means of a post on the official Android developer blog, Google has confirmed that “the auto-reset permissions feature will begin a gradual rollout on devices powered by Google Play Services that run a version between Android 6.0 and Android 10.” Bringing this crucial improvement in privacy and security to an additional 2.25 billion devices.
In addition, this auto reset feature will be enabled by default.
Now, there are a couple of things that can cause a little scratching to the head here. The first being how Google can roll out an update like this to billions of devices when the fractured nature of the Android ecosystem is what keeps three-quarters of users from running Android 11 in the first place.
The outcome of this puzzle is discussed in this quote from a developer blog: “powered by Google Play services”. The update uses the Google Play Services framework, installed on every Android device that comes with Google Play out of the box, which makes up the vast majority of them. It is this framework that is used by some apps to send notifications and by Google itself to ensure that fixes are in place so that access to the Google Play Store can be maintained.
There are flies in the auto-reset permissions ointment, however
As for the other somewhat confusing piece of the auto-reset permissions puzzle, is that when the feature kicks in? Google only said it does this when an app is not in use for a few months. Unfortunately, he hasn’t clarified what exactly this means, and according to reports this appears to be intentional in order to prevent developers from messing with the system.
Having said that, it also seems that developers can ask the user to disable the function on an app-by-app basis. The reasoning here is that some apps need to run in the background without interruption, such as smart device controllers, security apps, or sync data. It seems to me that’s exactly the kind of request that the developers of a malicious app would make, of course. Be careful with the granting of a white card in this way. Company-managed apps, with these permissions set by corporate policy, will not be affected by the auto-reset permissions feature.
Putting control back in the hands of users is not guaranteed
Sean Wright, Application Security Manager at Immersive Labs, told me that “at first glance, this seems like a great idea from a privacy standpoint; however, I have some concerns about its ease of use ”. Wright is concerned that, as seen with the cookie privacy notices, users typically blindly click to delete them in order to block everything they are trying to see. “I think we’ll see similar behavior when this feature is introduced,” he says, “after all, if a user approved these permissions in the first place, there’s a good chance they’ll approve them again, especially if they have an impact on the usability of the application. “
What might be a better approach, suggests Wright, is to make it easier for the user to determine what permissions are being used. “It would give them real control back,” he insists, adding that “functionality will always trump privacy, so we need to find ways to marry the two and give users a real chance to control how and where their data is used. “