[The image above has nothing to do with this post, but it seemed to be fitting, given the latest developments. This post is all about trust]
In this age of free(mium), it’s common knowledge that you pay with your privacy. Facebook is the best (or should I say worst) example of the dance around your data, yet there are many more tools that you use, which have access to everything that you carry with you: all the data on your phone. Not only can they read that, they can also change it – and even “impersonate” you
Some applications do need this very deep trust level, e.g. virus scanners and applications such as Androidlost. Others absolutely do not do so, like Skype, Google Plus, LinkedIn and Facebook. Interested to see what they can do to the contents of your phone? You’ll be in for a surprise, or should I say, shock
Let’s start with the virus scanner, e.g. Bitdefender
BitDefender can access:
- Your personal information: read browser’s history and bookmarks, write browser’s history and bookmarks, read contact data, write contact data, read sensitive log data
Your entire browsing history is available, and they can change it too. Understandable if there’s a bogus link to an malicious website. Read contact data? write, even? All that seems trivial when compared to what the sensitive log data gives away:
Allows an application to read the low-level system log files. Log entries can contain the user’s private information, which is why this permission is not available to normal apps
Well, fair enough, a virus scanner isn’t a normal app. So let’s just trust ‘m, hey?
- Services that cost you money: directly call phone numbers, and SMS messages
- Your location: coarse (network-based) location, fine (GPS) location
- Your messages: edit SMS or MMS, read SMS or MMS, receive SMS
- Network communication: create Bluetooth connections, full Internet access
- Your accounts: manage the account list, use the authentication credentials of an account
- Storage: modify / delete SD card contents
- Phone calls: read phone state and identity
- Hardware controls: change your audio settings
- System tools: change network connectivity, change Wi-Fi status, display system level alerts, modify global system settings, prevent phone from sleeping
- Your location: access extra location provider commands
- Network communication: Google Play billing service, receive data from Internet, view network status, view Wi-Fi status
- Your accounts: discover known accounts
- System tools: automatically start at boot
The last four are at the bottom of the list, and available via “Show All”. Here’s what BitDefender says their app can do, and let’s just suffice to say that they leave out a few. The most burning questions get answered; your account access is necessary for signing in into BitDefender via e.g. your Google Account (so much for oAuth, I guess). Reason for write access to contacts? Absent. Location access? “necessary to get the best possible location” – I bet ya!
The SMS stuff is needed for SMS-controlled management of BitDefender, they say, along with making phone calls
Let’s face it: to be protected at all levels, you need read access to all levels. In order to be able to remove malicious software at all levels, you need write access to all levels. Still leaves a few questions unanswered, but hey
Let’s check out what Skype can do, shall we? Whatever is extra (yes, you read that right) to what BitDefender can do, is in bold. Whatever is duplicate, is italic. Whatever is not used, is in regular font
- Your personal information: read browser’s history and bookmarks, write browser’s history and bookmarks, read contact data, write contact data, read sensitive log data
- Services that cost you money: directly call phone numbers, and SMS messages
- Your location: coarse (network-based) location, fine (GPS) location
- Your messages: edit SMS or MMS, read SMS or MMS, receive SMS
- Network communication: create Bluetooth connections, full Internet access
- Your accounts: manage the account list, use the authentication credentials of an account
- Storage: modify delete SD card contents
- Phone calls: read phone state and identity
- Hardware controls: change your audio settings
- System tools: change network connectivity, change Wi-Fi status, display system level alerts, modify global system settings, prevent phone from sleeping
- Network communication: Google Play billing service, receive data from Internet, view network status, view Wi-Fi status
- Your accounts: discover known accounts
- System tools: automatically start at boot
- Disable key lock, retrieve running applications, write sync settings, record audio, take pictures and videos, act as an account authenticator, read sync settings, read sync statistics, send sticky broadcast, control vibrator
Even worse, it can retrieve all running applications, read my synchronisation settings, and even impersonate me! Here is what that last fine setting really can do:
Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords
What?! Skype has access to my password?! And can even change it?!!!
Yes, Skype has access to my password, and can even change it. It can also create accounts on my phone. Do you use Skype? Happy with it? Still happy?
How about google Plus then? We’ll run the same exercise as before: bold, italic and regular. This time, I’ve added the full permissions that Skype has as a baseline
- Your personal information: read contact data, write contact data
- Services that cost you money: directly call phone numbers
- Your location: coarse (network-based) location, fine (GPS) location
- Network communication: create Bluetooth connections, full Internet access
- Your accounts: manage the account list, use the authentication credentials of an account
- Storage: modify / delete SD card contents
- Phone calls: read phone state and identity
- Hardware controls: change your audio settings
- System tools: change Wi-Fi status, modify global system settings, prevent phone from sleeping
- Network communication: receive data from Internet, view network status, view Wi-Fi status
- Your accounts: discover known accounts
- Disable key lock, retrieve running applications, write sync settings, record audio, take pictures and videos, act as an account authenticator, read sync settings, read sync statistics, send sticky broadcast, control vibrator
- Read subscribed feeds, write subscribed feeds, read your profile data, write to your profile data, read your social stream, write to your social stream, set wallpaper, download files without notification, control flashlight, read Google service configuration,
receive data from Internet
- Your personal information: read contact data, write contact data
- Services that cost you money: directly call phone numbers
- Your location: coarse (network-based) location, fine (GPS) location
- Network communication: create Bluetooth connections, full Internet access
- Your accounts: manage the account list, use the authentication credentials of an account
- Storage: modify / delete SD card contents
- Phone calls: read phone state and identity
- Hardware controls: change your audio settings
- System tools: change Wi-Fi status, modify global system settings, prevent phone from sleeping
- Network communication: view network status, view Wi-Fi status
- Your accounts: discover known accounts
- Disable key lock, retrieve running applications, write sync settings, record audio, take pictures and videos, act as an account authenticator, read sync settings, read sync statistics, send sticky broadcast, control vibrator
- Read calendar events plus confidential information, receive data from Internet
(Cross-posted @ Business or Pleasure? – why not both)