[HOW TO] Understand permissions risks

Hello to all,

I try to condensate permissions risk given by exodus privacy in the following tab.

Indeed, in Exodus Privacy, a report give the list of permissions the application requests to operate on your smartphone. Some of these permissions are tagged as dangerous. This means that from Google’s point of view, the application can do bad things using this permission. εxodus uses the Google permission classification. I was inspired by a publication talking about this (see ref under).

I hope this will be helpful to better understand the potential risks of letting some applications have access to sensitive permissions.

@Manoj Can you make this post editable if other people want to change/correct/add something to this ? Thank you very much !

Dangerous permissions and permission groups:

Permission Groups Permissions
CALENDAR READ_CALENDAR
WRITE_CALENDAR
CAMERA CAMERA
CONTACTS READ_CONTACTS
WRITE_CONTACTS
GET_ACCOUNTS
LOCATION ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
MICROPHONE RECORD_AUDIO
PHONE READ_PHONE_STATE
READ_CALL_LOG
WRITE_CALL_LOG
CALL_PHONE
ADD_VOICEMAIL
USE_SIP
PROCESS_OUTGOING_CALLS
SENSORS BODY_SENSORS
STORAGE READ_EXTERNAL_STORAGE
WRITE_EXTERNAL_STORAGE
SMS READ_SMS
SEND_SMS
RECEIVE_WAP_PUSH
RECEIVE_SMS
RECEIVE_MMS

Levels of risk severity

Level Permission Groups
1. Negligible CALENDAR, SENSORS
2. Minor CAMERA, STORAGE,MICROPHONE
3. Major CONTACTS, LOCATION
4. Severe SMS, PHONE
  • Negligible: Once the information controlled by a
    dangerous permission group is leaked, it is difficult to
    accurately relate to the individual.

  • Minor : Once the information controlled by a dangerous
    permission group is leaked, the impact on users is limited.

  • Major: Once the information controlled by a dangerous
    permission group is leaked, users will be monitored or
    the user’s identity information will be stolen.

  • Severe: Once the information controlled by a dangerous
    permission group is leaked, the user’s personal property
    will suffer loss.

From Y. Yang, X. Du and Z. Yang, “PRADroid: Privacy Risk Assessment for Android Applications,” 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP), 2021, pp. 90-95, doi: 10.1109/CSP51677.2021.9357608.

EDIT: An even more in depth article on the subject

Thanks for that. The Levels of risk severity section says, for each leve

But it doesn’t give any indication of

  • whether a “leak” is possible
  • if it is possible, how likely is oit to occur

A lot of stuff I have read about security risks (in computers, networks, phones) seems to make scary statements about the consequences of a security issue or vulnerability, even though the vulnerability would in practice be very hard for a bad actor to exploit.

From my understanding, just because an app requests, and is granted e.g. a permission, it does not mean that the app user is really at risk of being monitored or having their identity information stolen. Is it not the case that, for the risk to be real, the user would have to install a malicious app which requests the permission, and then uses it in a malicious way?

I am concerned that users - particlularly non-technincal users - may be given the impression that if they install an app - even an open source app - which needs a “dangerous” permission, then they are at immediate risk o suffering the consequences mentioned here, even though the real risk is minimal.

I’m very happy to be corrected if I have misunderstood anything.

Yes you are absolutely right, besides it is not because we give access to the SMS to an application that it is necessarily malicious…

Yes you’re right. In the initial article it is necessary to match the risk matrix, that I did not put here because probably too technical… But here it is:
Capture

And the results concerning some apps:

Capture

“Risk assessment results of 10 representative applications, as shown in the Table V. The top five applications in the table come from different families of malware, and the other five are benign applications downloaded from Google Play. The results show that malicious applications actually get high risk scores, while benign applications get low medium and low scores, which indicates that benign and malicious apps are effectively distinguished so as to give reasonable prompts to users.”

As you can see only malicious app are tagged with high score.

I think it’s best to see this table as a “guide” to be careful with applications whose source/origin is not well known or if it is known to be reliable.

The idea here is not to make people paranoid :slight_smile:
I myself (and everyone else for that matter) have many apps that have permission given as “4. Severe” risk when they are perfectly safe.
I just wanted to summarize what Exodus Privacy can offer regarding permissions.

This is also the reason why I wanted the topic to be editable by everyone, don’t hesitate to modify it or put warnings or just info that seems relevant to not scare users who are not necessarily comfortable with all these notions.
:slight_smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.