http://www.techrepublic.com/blog/it-security/why-does-an-android-flashlight-app-need-gps-permission ^^ Writer doesn't ask why a #$%@ flashlight app would need to uniquely identify your phone, need network access or access non-app storage. Camera is probably needed to access the camera flash LEDs. I've either deleted or not downloaded apps which required unjustified permissions. (Sometimes the developer is just being sloppy. Do not want apps by sloppy developers.)
I've never used it (browser works fine for me). Here's what's listed in Google Play Store: Explanation of the reasons for some permissions: https://contacts.zendesk.com/entries/23708306-Android-Permissions-Explained
Hmm. Looks like Google is allowing users to change app permissions after installing. (As of KitKat 4.4) That's good but I guess I'll have to add checking rather than assuming a permission is available. http://www.techrepublic.com/blog/so...-get-ready-for-fine-grained-user-permissions/
In light of the leaks about NSA operations, it occurs to me that there is a vulnerability in Android phones. With apps downloaded from the Google Play Store, you have the option of auto-updates or telling you that there is a new update and letting you get the update yourself. It also warns if there is a permission change before installing even if it's set for auto-update. However, all of that is done on Google's end. When Google finally says "Phone, here's an update", phone says "Yes sir!" and installs it, regardless of any permission changes. So it would seem that Google, or someone pretending to be Google by redirecting traffic between the phone and Play Store, could install anything they wanted disguised as an update. I'm sure that there's all sorts of encrypted handshaking going on before an update will happen, but when someone like the NSA can do a very sophisticated man-in-middle attack, and has access to Google's internal network traffic .. well, I don't know if that's secure. Normally there's a notification on the phone that there's been an update, but a trojan update with elevated permissions could clear that. I'm saying Android because that's what I'm familiar with. I wouldn't count on iPhones, Blackberrys or stuff like Windows update and sudo apt-get update being any more secure that way.
I agree on the man in the middle attack scenario. However,..... If you have a rooted Android, you can arbitrarily change permissions on executables, files and directories. You can also use iptables to determine which apps have internet access. You can also survey which apps push ads, for who and what the ad parasite does with your identity and location information. You can then remove accordingly.
That's true. The firmware could be trojaned. Did you hear Jake Appelbaum's presentation in Berlin at the CCC Messe?
