Security Embedded is 12+ years of experience in building secure systems. Learn more about how we can help you by exploring Phil's blog or contacting us.

How Trustworthy is that App with those Capabilities?

It seems that Pokemon Go has taken the world by storm. Before you close the tab, this isn't intended to be a social commentary about augmented reality. Nor am I looking to comment on all the bad human behavior that has cropped up around Pokemon Go. There are already enough shrill screeds about this subject. I actually want to zero in on the issue of application capabilities, or permissions in Android parlance.

Smartphone Apps have a bad habit of asking for too much in the way of permissions. For the Pokemon Go example, the app access to your camera to operate. You'll need to send data back and forth from the Internet. Definitely need to take the GPS location of the device. But that should be about it - a short list, right? Wrong. I found a much longer and much more puzzling list when I downloaded the APK and tried to load it on my Android test device:

Click to expand

OK, this is a little more obscene. Why is it asking for permission to access USB storage? Why does it need to know what Google accounts I'm logged into? Hell, why should it be asking to use said accounts? Isn't billing through the Google Play store enough?

I've read that the Pokemon Go app creator is going to address this. So maybe there's hope for the world yet. Probably not.

But then again, here's a gem, from our oh-so-darling CompanyX who makes our 88MC200-based IoT device. This is the IoT control app for their products. This app has to do all kinds of weird things with your wifi connection, so asking for permissions to manipulate that is fine. But, it gets weirder:

Click to expand

What hasn't the app asked for? I guess it can't place phone calls (phew!), but it can record images, audio, grab your location and read/write/modify storage. Oh, did I mention there are more permissions requested:

Click to expand

What personal data are you giving up to this vendor? They're asking for pretty much carte blanche to do what they please with your device. Of course, this should be unsettling, and I can confirm that this data is all sent back to their cloud.

This underscores two problems, in my opinion. First, we've done a great job training users to ignore information prompts. Warning a user with a massive list of permissions like this is ineffective. I bet 90% of people roll their eyes and click the Install button. Second, app developers need to follow a slight tweak of Postel's rule:

"Be conservative in capabilities you ask for, be liberal in releasing unneeded capabilities."

The attack surface of the IoT control app in question is massive. The more capabilities it has, the more risk it creates of enabling privacy invasion attacks. This is not counting that there could be state-sponsored or sanctioned surveillance code at play. The IoT control app actually sends out identifying information about the Android device. Who knows what that service will use that information for.

We need to move away from just disclosing the capabilities an app requests. Instead, the app developer should have to disclose why they need that capability. This needs to be written in plain language for the layperson to understand. And if you're found to be using any of those capabilities for any reason other than disclosed? A swift removal from the Google Play store would be a good answer. 

All I know is they now is that some Chinese company thinks my tablet is at 1600 Pennsylvania Ave. NW.

Attacking Crypto Using Stolen Keys

Plaintext Symmetric Keys, fixed IVs, oh my!