Friday, 22 June 2012

Android apps security tips

Do most users care
about app permissions?
How can you be sure that the apps (programs) that you install on your Android phone are safe?

I'm asked this question quite frequently by my less technically-interested friends, so here are a few tips that cover the basics.

I'll just note that there are lots of additional ways in which you can improve the security of your Android phone, but I don't think it's realistic to expect normal people, who lack an interest in security, to implement any special measures.

The tips

1. Only download applications from established sources, such as Google Play or Samsung Apps.

2. Use the store app on your phone to download the programs. Don't sideload.

3. Before downloading, check that the publisher of the app is one that you trust.

4. Before downloading, check the reviews of that app on the store. Read users' comments, too.

5. Before downloading, check the permissions that the app requires. Don't install an app if you are suspicious about the extent of permissions that it requires...


6. ... and when updating an app, check that it is not requesting any further permissions


The bad news


Even these six basic tips expect too much of an average user.


In real life, who restricts themselves to trusted publishers? How can you even tell who publishes an app? The publisher's name, as published on an app store, could be false. Additionally, review scores and comments can be faked.


The real problem, though, is that users are expected to read and understand the list of permissions that each app requires. Truly understanding this list, and comprehending the significance of whether or not an app needs to have access to the contacts database or the ability to send text messages, seems way beyond the abilities and (most crucially) interests of any normal user.

In my opinion, most people just want to use their phones. This means, among other things, downloading software that improves their experience. They don't want to think about weird little technical details, such as whether or not it's important that application X requires permissions A, B and C.

They don't want to know how it works, just so long as it does.

If I'm right then the majority won't even see the tips above, let along follow them. It would be far more helpful if Android itself provided some sort of warning, rather than just listing a load of technical data.

For those who do care, they still face one problem when deciding whether to install or not. There is no way (currently) to deny some permissions and allow others. It's an all or nothing decision - like it or lump it.

It would be far better to be able to install an application but deny some of the more intrusive permissions. If that causes the app to fail, so be it. The user then has a choice of allowing it the permissions it wants, or uninstalling it.