applications - Why do App Locker apps need so many permissions? Am i safe?

17
2014-04
  • zm15

    I've been trying to password protect an app, and it seems that the permissions vary from app to app for App Lockers.

    Why do so many of them require full phone access?

    Is there any danger if i use a popular and well known on such as https://market.android.com/details?id=com.morrison.applocklite?

  • Answers
  • davidbb

    The first part of your question "Why do so many of them require full phone access?". This is for 2 reasons.

    1. The granularity of the Android permission system groups many system APIs under a small number of permissions.
    2. App lockers need low level access to disable/enable apps.

    I assume that by "full phone access" you mean something like the "modify global system settings" permission. This permission is probably going to be required by app locker applications to prevent someone from disabling the lock without authorization, but it's hard to say, since I didn't write the app. In the context of this question there are a few other permissions that make sense to me, e.g., "retrieve running applications" and "automatically start at boot". It's likely that most app locker apps will request at least those permissions.

    The rest of the permissions would be unnecessary just for locking an app, but may be used for other reasons. For example, I don't know why the app needs to intercept outgoing calls.

    For what it's worth, I ran the apk through http://android-permissions.org, and the tool reported that this app is not over privileged, meaning that inside the app, there is code that makes use of all the permissions requested. This isn't good or bad, it just means that the developer probably isn't requesting unneeded permissions.

    To answer the second part of your question, you are probably ok if you install that app, but we can never be sure. An update might make the app start doing something different that you find unacceptable, or the app may already be transmitting your phone number or IMEI to some remote server. Who knows.


  • Related Question

    privacy - Why do so many applications require permission to read the phone state and identity?
  • Questioner

    Why do so many applications require permission to read the phone state and identity?. Specifically:

    Phone calls
       read phone state and identity
    

    For example Quickpedia is a Wikipedia portal, but wants access to the phone. What is the explanation for this?

    enter image description here


  • Related Answers
  • Rob

    It allows the App to read a unique ID (a phone identifier named IMEI) that's associated with your phone.

    It can therefore help with copy-protection or the attempt to track the number of users.

  • ce4

    There is another reason for this than the unique ID. I would guess that half of the apps don't access those values at all. The problem is that for a lower version up to Android 1.5 this permission does not exist. Everybody could access these values without requesting something.

    Therefore if you create an app that is compatible with 1.5 this permission will automatically be added to emulate the lower security of Android 1.5 because of that you could ignore this permission in most of the times because it tends to be just a compatibility issue.

  • Kasper Peeters

    The reason is that Android 1.5 and earlier did not require the application to specifically request those permissions and automatically granted them. Since Android 1.6, those permissions have to be specifically requested by the app. However, if you specify that your application can run on devices with Android 1.5 and less, then that permission is added to the application by default and the market shows that permission as being requested by the application.

    So in summary, the application may not actually be accessing your "phone state and identity" but if the developer specified that his/her application can run on devices with 1.5 or less then that permission will be shown.

  • Izzy

    This question has been bothering me quite some time. So now, finally, I decided to get to the bottom of the issue.

    The Playstore has an app named permission.READ_PHONE_STATE, which requests READ_PHONE_STATE as the only permission, and does nothing else than printing out all data it can access with or without using it. I've installed that on my LG Optimus 4X, being rooted on stock Android 4.0.3, and revoked the permission using LBE. Results where pretty interesting, as the following screenshots show:

    Screenshot 1 Screenshot 2 Screenshot 3
    Information gathered by the app *permission.READ_PHONE_STATE* (click images for larger variants)

    As you can easily see, even some information the dev though inaccessible without the permission, was freely accessible: my mailbox number (remark: Yes, it's the correct one; with my provider that's the shortcut when dialing from your own device, so I can freely display it ;) At the end of the first screenshot you see:

    • CALL_STATE_IDLE. So no phone call incoming, outgoing, or in progress. No app needs this permission to "background" itself on incoming calls.

    It's even possible to see whether mobile data are active (DATA_DISCONNECTED; I was on WiFi when taking the screenshots, as you can see in the notification bar), which country you're in, your provider (including some technical data on him), whether you're having a SIM card, or if you're in roaming.

    The only things not accessible hence are identifying data: IMEI, SIMID, IMSI, and your own phone number.

    Conclusion: This permission is only needed for identification purposes, nothing else.

    Why do so many apps need it then?

    • For the ad modules, most likely1
    • Because the dev thought he needs it (as pointed out by some answers here)2
    • Because the app in question is designed to (also) run on Android 1.5 and below (easy to find out, as that's listed on Google Play).

    Likelihoods in exactly this order, IMHO.


    1 Note by Dan's post on chat:

    Google Play policy now forbids apps from getting your IMEI to identify you for advertising purposes. All the ad libraries have been updated now to use the Google-Play-Services-provided "advertising ID", so any that still use the IMEI for this purpose should be reported to Google.

    As it's hard for the user to tell what the app is using the IMEI for, you should ask the developer to explain first.


    2 Another developer just pointed me to a subtle difference: while the permission is not needed to read the current call status (as I've pointed out), it might be needed to register a listener in order to be notified on changes of the call status (see: Detecting incoming and outgoing phone calls on Android). While there seem to be means of handling this automatically when the system calls onPause, that might not always be suitable: think of your alarm clock. You might not want to have that automatically stopped on an incoming call – especially not when your profile is set to ringer volume "muted".


    3 Again a correction from Dan: You only get the default extra permission if your app's "target" version is 1.5. If you target a later version but your min version is 1.5, you don't get the permission added automatically.

  • eldarerathis

    The ad providers can use your phone identity to opt you in to telemarketing lists. As long as you have the app you're doing business with them and, by law, they don't have to remove you.