Application permissions

Last updated

Permissions are a means of controlling and regulating access to specific system- and device-level functions by software. Typically, types of permissions cover functions that may have privacy implications, such as the ability to access a device's hardware features (including the camera and microphone), and personal data (such as storage devices, contacts lists, and the user's present geographical location). Permissions are typically declared in an application's manifest, and certain permissions must be specifically granted at runtime by the user—who may revoke the permission at any time.

Contents

Permission systems are common on mobile operating systems, where permissions needed by specific apps must be disclosed via the platform's app store.

Mobile devices

On mobile operating systems for smartphones and tablets, typical types of permissions regulate: [1] [2]

Prior to Android 6.0 "Marshmallow", permissions were automatically granted to apps at runtime, and they were presented upon installation in Google Play Store. Since Marshmallow, certain permissions now require the app to request permission at runtime by the user. These permissions may also be revoked at any time via Android's settings menu. [3] Usage of permissions on Android are sometimes abused by app developers to gather personal information and deliver advertising; in particular, apps for using a phone's camera flash as a flashlight (which have grown largely redundant due to the integration of such functionality at the system level on later versions of Android) have been known to require a large array of unnecessary permissions beyond what is actually needed for the stated functionality. [4]

iOS imposes a similar requirement for permissions to be granted at runtime, with particular controls offered for enabling of Bluetooth, Wi-Fi, and location tracking. [5] [6]

WebPermissions

WebPermissions is a permission system for web browsers. [7] When a web application needs some data behind permission, it must request it first. When it does it, a user sees a window asking him to make a choice. The choice is remembered, but can be cleared lately.

Currently the following resources are controlled:

Analysis

The permission-based access control model assigns access privileges for certain data objects to application. This is a derivative of the discretionary access control model. The access permissions are usually granted in the context of a specific user on a specific device. Permissions are granted permanently with few automatic restrictions.

In some cases permissions are implemented in 'all-or-nothing' approach: a user either has to grant all the required permissions to access the application or the user can not access the application. There is still a lack of transparency when the permission is used by a program or application to access the data protected by the permission access control mechanism. Even if a user can revoke a permission, the app can blackmail a user by refusing to operate, for example by just crashing or asking user to grant the permission again in order to access the application.

The permission mechanism has been widely criticized by researchers for several reasons, including;

Some apps, such as XPrivacy and Mockdroid [18] spoof data in order to act as a measure for privacy. Further transparency methods include longitudinal behavioural profiling and multiple-source privacy analysis of app data access. [19] [20]

Related Research Articles

<span class="mw-page-title-main">Android 13</span> Thirteenth major version of the Android mobile operating system

Android 13 is the thirteenth major release and the 20th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google. It was released to the public and the Android Open Source Project (AOSP) on August 15, 2022. The first devices to ship with Android 13 were the Pixel 7 and 7 Pro.

Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of developers known as the Open Handset Alliance, though its most widely used version is primarily developed by Google. It was unveiled in November 2007, with the first commercial Android device, the HTC Dream, being launched in September 2008.

iOS Mobile operating system by Apple

iOS is a mobile operating system developed by Apple Inc. exclusively for its smartphones. It was unveiled in January 2007 for the first-generation iPhone, launched in June 2007.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">Android Jelly Bean</span> Tenth version of the Android operating system

Android Jelly Bean is the codename given to the tenth version of the Android mobile operating system developed by Google, spanning three major point releases. Among the devices that run Android 4.1 to 4.3 are the Nexus 7 (2012), Nexus 4, Nexus 10, Nexus 7 (2013), and Hyundai Play X.

A lock screen is a computer user interface element used by various operating systems. They regulate immediate access to a device by requiring the user to perform a certain action in order to receive access, such as entering a password, using a certain button combination, or performing a certain gesture using a device's touchscreen. There are various authentication methods to get past the lock screen, with the most popular and common ones being personal identification numbers (PINs), the Android pattern lock, and biometrics.

Avare is a free open source "moving map" aviation GPS, A/FD and EFB app for phones or tablets using the Android Operating System. The app uses any internal Android or compatible external GPS receiver to determine location, allowing real-time display of location, heading, speed, distance, time, and altitude on free U.S. FAA IFR or VFR aviation charts; or on select topographic charts. Included are 3D, ADSB-In and other advanced options. The user can access all relevant static current FAA official data and some non-FAA maps and data in flight without data connection, once data has been downloaded to the device. With an aircraft ADSB-Out transmitter and inexpensive ADSB-In receiver Avare can also display any available FAA live ADSB data in flight. Some advanced users also interface Avare with an auto-pilot or flight simulator.

Android Marshmallow is the sixth major version of the Android operating system developed by Google, being the successor to Android Lollipop. It was announced at Google I/O on May 28, 2015, and released the same day as a beta, before being officially released on September 29, 2015. It was succeeded by Android Nougat on August 22, 2016.

Eddystone was a Bluetooth Low Energy beacon profile released by Google in July 2015. In December 2018 Google stopped delivering both Eddystone and Physical Web beacon notifications. The Apache 2.0-licensed, cross-platform, and versioned profile contained several frame types, including Eddystone-UID, Eddystone-URL, and Eddystone-TLM. Eddystone-URL was used by the Physical Web project, whereas Eddystone-UID was typically used by native apps on a user's device, including Google's first party apps such as Google Maps.

<span class="mw-page-title-main">BlackBerry Priv</span> Android-based slider smartphone by BlackBerry Limited

The BlackBerry Priv is a slider smartphone developed by BlackBerry Limited. Following a series of leaks, it was officially announced by BlackBerry CEO John Chen on September 25, 2015, with pre-orders opening on October 23, 2015, for a release on November 6, 2015.

<span class="mw-page-title-main">Android Nougat</span> Seventh major version of the Android operating system

Android Nougat is the seventh major version and 14th original version of the Android operating system. First released as an alpha test version on March 9, 2016, it was officially released on August 22, 2016, with Nexus devices being the first to receive the update. The LG V20 was the first smartphone released with Nougat.

<span class="mw-page-title-main">LineageOS</span> Free and open-source operating system based on Android

LineageOS is an Android-based operating system for smartphones, tablet computers, and set-top boxes, with mostly free and open-source software. It is the successor to CyanogenMod, from which it was forked in December 2016, when Cyanogen Inc. announced it was discontinuing development and shut down the infrastructure behind the project. Since Cyanogen Inc. retained the rights to the Cyanogen name, the project rebranded its fork as LineageOS.

<span class="mw-page-title-main">Android Oreo</span> Eighth major version of the Android mobile operating system

Android Oreo is the eighth major release and the 15th version of the Android mobile operating system. It was initially unveiled as an alpha quality developer preview in March 2017 and later made available to the public, on August 21, 2017.

<span class="mw-page-title-main">Android 11</span> Eleventh major version of the Android mobile operating system

Android 11 is the eleventh major release and 18th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google. It was released on September 8, 2020. The first phone launched in Europe with Android 11 was the Vivo X51 5G and after its full stable release, the first phone in the world which came with Android 11 after Google Pixel 5 was OnePlus 8T.

<span class="mw-page-title-main">COVID-19 apps</span> Mobile apps designed to aid contact tracing

COVID-19 apps include mobile-software applications for digital contact-tracing - i.e. the process of identifying persons ("contacts") who may have been in contact with an infected individual - deployed during the COVID-19 pandemic.

<span class="mw-page-title-main">Exposure Notification</span> Initiative for mobile device-based privacy-preserving contact tracing

The (Google/Apple) Exposure Notification System (GAEN) is a framework and protocol specification developed by Apple Inc. and Google to facilitate digital contact tracing during the COVID-19 pandemic. When used by health authorities, it augments more traditional contact tracing techniques by automatically logging close approaches among notification system users using Android or iOS smartphones. Exposure Notification is a decentralized reporting protocol built on a combination of Bluetooth Low Energy technology and privacy-preserving cryptography. It is an opt-in feature within COVID-19 apps developed and published by authorized health authorities. Unveiled on April 10, 2020, it was made available on iOS on May 20, 2020 as part of the iOS 13.5 update and on December 14, 2020 as part of the iOS 12.5 update for older iPhones. On Android, it was added to devices via a Google Play Services update, supporting all versions since Android Marshmallow.

<span class="mw-page-title-main">TCN Protocol</span> Proximity contact tracing protocol

The Temporary Contact Numbers Protocol, or TCN Protocol, is an open source, decentralized, anonymous exposure alert protocol developed by Covid Watch in response to the COVID-19 pandemic. The Covid Watch team, started as an independent research collaboration between Stanford University and the University of Waterloo was the first in the world to publish a white paper, develop, and open source fully anonymous Bluetooth exposure alert technology in collaboration with CoEpi after writing a blog post on the topic in early March.

<span class="mw-page-title-main">Decentralized Privacy-Preserving Proximity Tracing</span> Proximity contact tracing protocol

Decentralized Privacy-Preserving Proximity Tracing is an open protocol developed in response to the COVID-19 pandemic to facilitate digital contact tracing of infected participants. The protocol, like competing protocol Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), uses Bluetooth Low Energy to track and log encounters with other users. The protocols differ in their reporting mechanism, with PEPP-PT requiring clients to upload contact logs to a central reporting server, whereas with DP-3T, the central reporting server never has access to contact logs nor is it responsible for processing and informing clients of contact. Because contact logs are never transmitted to third parties, it has major privacy benefits over the PEPP-PT approach; however, this comes at the cost of requiring more computing power on the client side to process infection reports.

SwissCovid is a COVID-19 contact tracing app used for digital contact tracing in Switzerland. Use of the app is voluntary and based on a decentralized approach using Bluetooth Low Energy and Decentralized Privacy-Preserving Proximity Tracing (dp3t).

The version history of the HarmonyOS distributed operating system began with the public release of the HarmonyOS 1.0 for Honor Vision smart TVs on August 9, 2019. The first commercial version of the IoT based operating system, HarmonyOS 2.0, was released on June 2, 2021 for phones, tablets, smartwatches, smart speakers, routers, and internet of things. Beforehand, DevEco Studio, the HarmonyOS app development IDE, was released in September 2020 together with the HarmonyOS 2.0 Beta. HarmonyOS is developed by Huawei. New major releases are announced at the Huawei Developers Conference (HDC) in the fourth quarter of each year together with the first public beta version of the operating system's next major version. The next major stable version is then released in the third to fourth quarter of the following year.

References

  1. "Manifest.permission - Android Developers". developer.android.com.
  2. "iOS Security Guide" (PDF).
  3. Cimpanu, Catalin. "Permission-greedy apps delayed Android 6 upgrade so they could harvest more user data". ZDNet. Retrieved 2020-01-10.
  4. Cimpanu, Catalin. "Most Android flashlight apps request an absurd number of permissions". ZDNet. Retrieved 2020-01-10.
  5. Cipriani, Jason. "Keep your location secret with iOS 13's new privacy features". CNET . Retrieved 2019-08-08.
  6. Welch, Chris (2019-09-19). "Here's why so many apps are asking to use Bluetooth on iOS 13". The Verge . Retrieved 2019-09-26.
  7. "Permissions". w3c.github.io. Retrieved 2019-05-10.
  8. "Geolocation API Specification 2nd Edition". www.w3.org.
  9. "Notifications API Standard". notifications.spec.whatwg.org.
  10. "Push API". www.w3.org.
  11. "Web Background Synchronization". wicg.github.io.
  12. 1 2 "Media Capture and Streams". w3c.github.io.
  13. Moen, Gro Mette, Ailo Krogh Ravna, and Finn Myrstad: Deceived by Design - How tech companies use dark patterns to discourage us from exercising our rights to privacy., 2018, Consumer council of Norway / Forbrukerrådet. Report. https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design Archived 2020-10-11 at the Wayback Machine
  14. Fritsch, Lothar; Momen, Nurul (2017). "Derived Partial Identities Generated from App Permissions". Gesellschaft für Informatik: 117–130.{{cite journal}}: Cite journal requires |journal= (help)
  15. Kelley, Patrick Gage; Consolvo, Sunny; Cranor, Lorrie Faith; Jung, Jaeyeon; Sadeh, Norman; Wetherall, David (2012). "A Conundrum of Permissions: Installing Applications on an Android Smartphone". In Blyth, Jim; Dietrich, Sven; Camp, L. Jean (eds.). Financial Cryptography and Data Security. Lecture Notes in Computer Science. Vol. 7398. Springer Berlin Heidelberg. pp. 68–79. CiteSeerX   10.1.1.232.4261 . doi:10.1007/978-3-642-34638-5_6. ISBN   978-3-642-34638-5. S2CID   17861847.
  16. Momen, N.; Hatamian, M.; Fritsch, L. (November 2019). "Did App Privacy Improve After the GDPR?". IEEE Security Privacy. 17 (6): 10–20. doi:10.1109/MSEC.2019.2938445. ISSN   1558-4046. S2CID   203699369.
  17. Momen, Nurul (2020). "Measuring Apps' Privacy-Friendliness : Introducing transparency to apps' data access behavior".{{cite journal}}: Cite journal requires |journal= (help)
  18. Beresford, Alastair R.; Rice, Andrew; Skehin, Nicholas; Sohan, Ripduman (2011). "MockDroid". Proceedings of the 12th Workshop on Mobile Computing Systems and Applications. New York, New York, USA: ACM Press. pp. 49–54. doi:10.1145/2184489.2184500. ISBN   978-1-4503-0649-2. S2CID   2166732.
  19. Momen, Nurul (2018). "Towards Measuring Apps' Privacy-Friendliness". Diva.
  20. Hatamian, Majid; Momen, Nurul; Fritsch, Lothar; Rannenberg, Kai (2019). "A Multilateral Privacy Impact Analysis Method for Android Apps". In Naldi, Maurizio; Italiano, Giuseppe F.; Rannenberg, Kai; Medina, Manel; Bourka, Athena (eds.). Privacy Technologies and Policy. Lecture Notes in Computer Science. Vol. 11498. Springer International Publishing. pp. 87–106. doi:10.1007/978-3-030-21752-5_7. ISBN   978-3-030-21752-5. S2CID   184483219.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.