Foustland

As a serial early adopter I have enjoyed using technology that is new and fresh, and some times buggy.  I am one of the first people to use a little known mobile phone OS's a couple years back when I upgraded my RAZR to the then fresh G1 with the Google sponsored Android OS.  What a change, being able to get my email and easily send messages, a touch screen that I could customize, and apps galore in the Android Market.

Oh, the good old days, when things were simpler and you just didn't think about things like having your phone taken hostage by spyware, malware, scumware (or watever the kids are calling it these days).  Well, now with my second Android phone in hand (DroidX) I am still as much in awe of the OS as ever, but I have been warily giving permission to a number of apps that I think will be good to have.  Primarily because of the amount of permissions that some of these little programs want me to give them.  I am writing this post mostly to open your eyes a bit and get you to pause before launching into something that might have the ability to go into your banking app and delete your bank account while you are changing your ring tone, assembling a puzzle or using your phone as a flash light.

For instance, the DroidX has a nifty LED flash/video camera light, but I don't want to have to turn my video camera on, just to enable the light to use it as an emergency flashlight.  So I looked around the Android Market for a flashlight app that would basically just light up the LED when I need some light.  There are, in fact, quite a few variations on flashlights out in the Market.  For those who don't have LED flashes on their phone (like my old G1) there are screen based lights, that turn the screen any color you might want.  For those of us who do, there are plenty of apps that turn on the LEDs.  So, what's the big deal?  Well, what I found was that there are a few flashlight apps that basically do what they should, allow you to turn on and off your LED with no big worries.  There are a few though that ask for more permission than just keeping the phone from sleeping and taking pictures.  One, aFlashlight, by Tomoya YAMAMOTO also wants to have full internet access.  Really, why?  This article on Technically Personal mows through the laundry list of possible permission requests that may come with an app.  I learned that the full internet access could be used by the app to transfer data off the phone, and over to some crime syndicate somewhere.  Here is what the article said about this permission

Network Communication – full internet access

This is probably the most important permission you will want to pay attention to. Many apps will request this but not all need it. For any malware to truly be effective it needs a means by which to transfer data off of your phone, this is one of the setting it would definitely have to ask for. However, in this day and age of cloud computing and always-on internet connectivity, many, many legitimate applications also request this. You will have to be very careful with this setting and use your judgment. It should always peak your interest to think about whether your application needs this permission. Typical applications that would use this include but are not limited to: web browsers, social networking applications, internet radio, cloud computing applications, weather widgets, and many, many more.

I am not saying that the aFlashlight is something conjured up by some internet mobsters, but it does make me wonder why they want to have access to my internet gateway on my phone.  It also makes me wonder if these permissions that are granted are leveraged when the app is active and running, or does the app have the ability to use the permissions granted at any time, whether or not the app is running?  I'm not going to try to get into that here, but my guess is that if there is something malicious in the software, it will do whatever it needs to do to accomplish its task, whether or not you have the app on or not.

Which brings me back to the original purpose of this post.  People, just be aware that not all things happening in the Android Market are necessarily in your or my best interest.  There are a lot of great apps, widgets and gadgets out there that make having an Android device fun, intuitive, interactive, and even helpful.  But sometimes the most innocent looking thing can have crap lurking below the surface that may cause some inconvenience, or worse for you.

For instance, ringtone apps.  These should simply be a collection of mp3s that you can load up to make your phone sound like the hottest hit on the radio, or R2D2, or whatever.  Unfortunately, the ringtone "apps" that I have surveyed are far from just ringtone sounds, at least where it deals with the permissions the app is asking you for.  The Lady Gaga Ringtone by NorthStart Ringtones seems like a good one.  Sure enough, the app wants: full internet access, read and write contact data, modify/delete SD data, read phone state and identity, and modify global system settings.  Maybe it needs these things to work correctly.  But I advise some level of caution when something wants to have access to this much of my phone, especially if it is just to plop a ringtone on there.

Another thing that is prime for abuse is the large number of apps that are related to top pop stars, like Justin Bieber.  There is a Justin Bieber Puzzle by TechnoMelon that wants to know your GPS location, full internet access, SD card modify and delete, read phone state and identity, and retrieve running applications.  All of that just so you can assemble a puzzle of that cute little Justin Bieber.

Now in all of the examples I have listed I may have implied that the apps mentioned are doing bad things because of the permissions they are requesting.  Maybe they are, I don't know.  But they may all be legit apps, just trying to make a buck (probably through ads since all are free).  So tell the defamation lawyers to back off.  These examples are just that, examples to show that there are apps out there that I feel (and many do as well) that they are really wanting a little more access to our mobile devices than should be necessary for the type of app.

I hope that I have provided you with a little more insight as to what these crazy permissions are all about, and how there is the possibility for apps to do naughty things, even if they are all cute and innocent looking.

By the way, the flashlights that I have on my DroidX currently are DroidLight by Motorola which uses hardware controls: Take Pictures to activate the LED, and TeslaLED Flashlight by TeslaCoil Software.  In addition to the take pictures control, it also wants to prevent the phone from sleeping, a good thing if you need the light for any period of time.  Plus it has a cool Morse code feature that lets you flash Morse coded messages to someone across the way, and a strobe light.  Both apps are free, the Tesla Coil light also offers a $0.99 donate version.