Application permissions

Last updated

Permissions are a means of controlling and regulating access to specific system- and device-level functions by software. Typically, types of permissions cover functions that may have privacy implications, such as the ability to access a device's hardware features (including the camera and microphone), and personal data (such as storage devices, contacts lists, and the user's present geographical location). Permissions are typically declared in an application's manifest, and certain permissions must be specifically granted at runtime by the user—who may revoke the permission at any time.

Contents

Permission systems are common on mobile operating systems, where permissions needed by specific apps must be disclosed via the platform's app store.

Mobile devices

On mobile operating systems for smartphones and tablets, typical types of permissions regulate: [1] [2]

Prior to Android 6.0 "Marshmallow", permissions were automatically granted to apps at runtime, and they were presented upon installation in Google Play Store. Since Marshmallow, certain permissions now require the app to request permission at runtime by the user. These permissions may also be revoked at any time via Android's settings menu. [3] Usage of permissions on Android are sometimes abused by app developers to gather personal information and deliver advertising; in particular, apps for using a phone's camera flash as a flashlight (which have grown largely redundant due to the integration of such functionality at the system level on later versions of Android) have been known to require a large array of unnecessary permissions beyond what is actually needed for the stated functionality. [4] According to a 2024 study conducted by NordVPN, 58% of mobile apps request access to sensitive data such as location and storage, while 55% of these apps request permissions primarily for advertising purposes. [5] This trend highlights growing concerns about how mobile apps access personal information, often beyond what is necessary for the app’s core functionality.

iOS imposes a similar requirement for permissions to be granted at runtime, with particular controls offered for enabling of Bluetooth, Wi-Fi, and location tracking. [6] [7]

WebPermissions

WebPermissions is a permission system for web browsers. [8] When a web application needs some data behind permission, it must request it first. When it does it, a user sees a window asking him to make a choice. The choice is remembered, but can be cleared lately.

Currently the following resources are controlled:

Analysis

The permission-based access control model assigns access privileges for certain data objects to application. This is a derivative of the discretionary access control model. The access permissions are usually granted in the context of a specific user on a specific device. Permissions are granted permanently with few automatic restrictions.

In some cases permissions are implemented in 'all-or-nothing' approach: a user either has to grant all the required permissions to access the application or the user can not access the application. There is still a lack of transparency when the permission is used by a program or application to access the data protected by the permission access control mechanism. Even if a user can revoke a permission, the app can blackmail a user by refusing to operate, for example by just crashing or asking user to grant the permission again in order to access the application.

The permission mechanism has been widely criticized by researchers for several reasons, including;

Some apps, such as XPrivacy and Mockdroid [19] spoof data in order to act as a measure for privacy. Further transparency methods include longitudinal behavioural profiling and multiple-source privacy analysis of app data access. [20] [21]

Related Research Articles

<span class="mw-page-title-main">Android 13</span> Thirteenth major version of the Android mobile operating system

Android 13 is the thirteenth major release and the 20th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google. It was released to the public and the Android Open Source Project (AOSP) on August 15, 2022. The first devices to ship with Android 13 were the Pixel 7 and 7 Pro.

<span class="mw-page-title-main">Adobe AIR</span> Cross-platform runtime system for building rich web applications

Adobe AIR is a cross-platform runtime system currently developed by Harman International, in collaboration with Adobe Inc., for building desktop applications and mobile applications, programmed using Adobe Animate, ActionScript, and optionally Apache Flex. It was originally released in 2008. The runtime supports installable applications on Windows, macOS, and mobile operating systems, including Android, iOS, and BlackBerry Tablet OS.

Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen-based mobile devices such as smartphones and tablets. It is the world's most widely used operating system due to it being used on most smartphones and tablets outside of iPhones and iPads, which use Apple's iOS and iPadOS, respectively. As of October 2024, Android accounts for 45% of the global operating system market, followed by Windows with 26%.

iOS Mobile operating system by Apple

iOS is a mobile operating system developed by Apple exclusively for its devices. It was unveiled in January 2007 for the first-generation iPhone, which launched in June 2007. Major versions of iOS are released annually; the current stable version, iOS 18, was released to the public on September 16, 2024.

<span class="mw-page-title-main">Samsung Galaxy Tab 7.0</span> Android tablet manufactured by Samsung

The Samsung Galaxy Tab 7.0 or simply Samsung Galaxy Tab is an Android-based mini-tablet computer produced by Samsung and released on 5 November 2010. The tablet was first introduced on 2 September 2010 at the IFA in Berlin. The Galaxy Tab was the first Samsung Android-powered tablet to be released.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Avare is a free open source "moving map" aviation GPS, A/FD and EFB app for phones or tablets using the Android Operating System. The app uses any internal Android or compatible external GPS receiver to determine location, allowing real-time display of location, heading, speed, distance, time, and altitude on free U.S. FAA IFR or VFR aviation charts; or on select topographic charts. Included are 3D, ADSB-In and other advanced options. The user can access all relevant static current FAA official data and some non-FAA maps and data in flight without data connection, once data has been downloaded to the device. With an aircraft ADSB-Out transmitter and inexpensive ADSB-In receiver Avare can also display any available FAA live ADSB data in flight. Some advanced users also interface Avare with an auto-pilot or flight simulator.

<span class="mw-page-title-main">Fire OS</span> Android-based operating system for Amazon devices

Fire OS is an operating system based on the Android Open Source Project (AOSP). It is developed by Amazon for their devices. Fire OS includes proprietary software, a customized user interface primarily centered on content consumption, and heavy ties to content available from Amazon's storefronts and services.

Mozilla Location Service (MLS) was an open geolocation service that allowed devices to find their position by processing received signals of publicly observable radio transmitters: cellular network antennae, Wi-Fi access points, and Bluetooth beacons. The service was provided by Mozilla from 2013 to 2024. The service used Mozilla's open source software project called Ichnaea.

Android Marshmallow is the sixth major version of the Android operating system developed by Google, being the successor to Android Lollipop. It was announced at Google I/O on May 28, 2015, and released the same day as a beta, before being officially released on September 29, 2015. It was succeeded by Android Nougat on August 22, 2016.

<span class="mw-page-title-main">Android Nougat</span> Seventh major version of the Android operating system

Android Nougat is the seventh major version and 14th original version of the Android operating system. First released as an alpha test version on March 9, 2016, it was officially released on August 22, 2016, with Nexus devices being the first to receive the update.

<span class="mw-page-title-main">LineageOS</span> Free and open-source Android-based operating system

LineageOS is an open source, Android-based operating system for smartphones, tablets, and set-top boxes. It is the successor to CyanogenMod, from which it was forked in December 2016, when Cyanogen Inc. announced it was discontinuing development and shut down the infrastructure behind the project. Since Cyanogen Inc. retained the rights to the Cyanogen name, the project rebranded its fork as LineageOS.

Contextual integrity is a theory of privacy developed by Helen Nissenbaum and presented in her book Privacy In Context: Technology, Policy, and the Integrity of Social Life. It comprises four essential descriptive claims:

<span class="mw-page-title-main">Android 10</span> Tenth major version of the Android mobile operating system

Android 10 is the tenth major release and the 17th version of the Android mobile operating system. It was first released as a developer preview on March 13, 2019, and was released publicly on September 3, 2019.

<span class="mw-page-title-main">GrapheneOS</span> Android-based mobile operating system

GrapheneOS is an Android-based, open source, privacy and security-focused mobile operating system for selected Google Pixel devices, including smartphones, tablets and foldables.

There are many apps in Android that can run or emulate other operating systems, via utilizing hardware support for platform virtualization technologies, or via terminal emulation. Some of these apps support having more than one emulation/virtual file system for different OS profiles, thus the ability to have or run multiple OS's. Some even have support to run the emulation via a localhost SSH connection (letting remote ssh terminal apps on device access the OS emulation/VM, VNC, and XSDL. If more than one of these apps that support these protocols or technologies are available on the android device, via androids ability to do background tasking the main emulator/VM app on android can be used to launch multiple emulation/vm OS, which the other apps can connect to, thus multiple emulated/VM OS's can run at the same time. However, there are a few emulator or VM apps that require that the android device to be rooted for the app to work, and there are others that do not require such. Some remote terminal access apps also have the ability to access Android's internally implemented Toybox, via device loopback support. Some VM/emulator apps have a fixed set of OS's or applications that can be supported.

<span class="mw-page-title-main">Android 11</span> Eleventh major version of the Android mobile operating system

Android 11 is the eleventh major release and 18th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google. It was released on September 8, 2020. The first phone launched in Europe with Android 11 was the Vivo X51 5G and after its full stable release, the first phone in the world which came with Android 11 was Google Pixel 5.

<span class="mw-page-title-main">Decentralized Privacy-Preserving Proximity Tracing</span> Proximity contact tracing protocol

Decentralized Privacy-Preserving Proximity Tracing is an open protocol developed in response to the COVID-19 pandemic to facilitate digital contact tracing of infected participants. The protocol, like competing protocol Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), uses Bluetooth Low Energy to track and log encounters with other users. The protocols differ in their reporting mechanism, with PEPP-PT requiring clients to upload contact logs to a central reporting server, whereas with DP-3T, the central reporting server never has access to contact logs nor is it responsible for processing and informing clients of contact. Because contact logs are never transmitted to third parties, it has major privacy benefits over the PEPP-PT approach; however, this comes at the cost of requiring more computing power on the client side to process infection reports.

iodéOS Android-based operating system

iodéOS is an Android-based mobile operating system developed by French company iodé. The operating system is a fork of LineageOS and does not include Google Play Services, instead using MicroG as a free and open-source replacement.

BharOS is a closed source mobile operating system designed by IIT Madras. It is an Indian government-funded project to develop an operating system (OS) for use in government and public systems.

References

  1. "Manifest.permission - Android Developers". developer.android.com.
  2. "iOS Security Guide" (PDF).
  3. Cimpanu, Catalin. "Permission-greedy apps delayed Android 6 upgrade so they could harvest more user data". ZDNet. Retrieved 2020-01-10.
  4. Cimpanu, Catalin. "Most Android flashlight apps request an absurd number of permissions". ZDNet. Retrieved 2020-01-10.
  5. "Mobile privacy: What do your apps want to know? | NordVPN". nordvpn.com. Retrieved 2024-09-17.
  6. Cipriani, Jason. "Keep your location secret with iOS 13's new privacy features". CNET . Retrieved 2019-08-08.
  7. Welch, Chris (2019-09-19). "Here's why so many apps are asking to use Bluetooth on iOS 13". The Verge . Retrieved 2019-09-26.
  8. "Permissions". w3c.github.io. Retrieved 2019-05-10.
  9. "Geolocation API Specification 2nd Edition". www.w3.org.
  10. "Notifications API Standard". notifications.spec.whatwg.org.
  11. "Push API". www.w3.org.
  12. "Web Background Synchronization". wicg.github.io.
  13. 1 2 "Media Capture and Streams". w3c.github.io.
  14. Moen, Gro Mette, Ailo Krogh Ravna, and Finn Myrstad: Deceived by Design - How tech companies use dark patterns to discourage us from exercising our rights to privacy., 2018, Consumer council of Norway / Forbrukerrådet. Report. https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design Archived 2020-10-11 at the Wayback Machine
  15. Fritsch, Lothar; Momen, Nurul (2017). "Derived Partial Identities Generated from App Permissions". Gesellschaft für Informatik: 117–130.{{cite journal}}: Cite journal requires |journal= (help)
  16. Kelley, Patrick Gage; Consolvo, Sunny; Cranor, Lorrie Faith; Jung, Jaeyeon; Sadeh, Norman; Wetherall, David (2012). "A Conundrum of Permissions: Installing Applications on an Android Smartphone". In Blyth, Jim; Dietrich, Sven; Camp, L. Jean (eds.). Financial Cryptography and Data Security. Lecture Notes in Computer Science. Vol. 7398. Springer Berlin Heidelberg. pp. 68–79. CiteSeerX   10.1.1.232.4261 . doi:10.1007/978-3-642-34638-5_6. ISBN   978-3-642-34638-5. S2CID   17861847.
  17. Momen, N.; Hatamian, M.; Fritsch, L. (November 2019). "Did App Privacy Improve After the GDPR?". IEEE Security Privacy. 17 (6): 10–20. doi:10.1109/MSEC.2019.2938445. ISSN   1558-4046. S2CID   203699369.
  18. Momen, Nurul (2020). "Measuring Apps' Privacy-Friendliness : Introducing transparency to apps' data access behavior".{{cite journal}}: Cite journal requires |journal= (help)
  19. Beresford, Alastair R.; Rice, Andrew; Skehin, Nicholas; Sohan, Ripduman (2011). "MockDroid". Proceedings of the 12th Workshop on Mobile Computing Systems and Applications. New York, New York, USA: ACM Press. pp. 49–54. doi:10.1145/2184489.2184500. ISBN   978-1-4503-0649-2. S2CID   2166732.
  20. Momen, Nurul (2018). "Towards Measuring Apps' Privacy-Friendliness". Diva.
  21. Hatamian, Majid; Momen, Nurul; Fritsch, Lothar; Rannenberg, Kai (2019). "A Multilateral Privacy Impact Analysis Method for Android Apps". In Naldi, Maurizio; Italiano, Giuseppe F.; Rannenberg, Kai; Medina, Manel; Bourka, Athena (eds.). Privacy Technologies and Policy. Lecture Notes in Computer Science. Vol. 11498. Springer International Publishing. pp. 87–106. doi:10.1007/978-3-030-21752-5_7. ISBN   978-3-030-21752-5. S2CID   184483219.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.