Open source is a world that Google loves to use to make their business thrive, and a lot of people equally love the idea behind it. Even businesses who adopt the open source idea benefits from the security, freedom, quality, cost and flexibility that are among many other attributes in the open world. This is the reason why OEMs (Original Equipment Manufacturer) utilize what is called a "custom skin", which is like a signature by the company that separates their software from others. Some are beneficial, some just bog down the system, but whatever the case may be, open source also allows for a custom ROM to be installed in place of the official, or "stock" ROM.
Although with such a wide range of benefits at our disposal, comes certain drawbacks, or "necessary evils" as some like to say, which would allow a malicious developer access to unnecessary data. These are what permissions are for, and they are used by the app developer as authorizations by the user to access services which are most of the time necessary for certain operations of the application to work.
For example, an application that allows you to "check in" to places would ask for location and data permissions, or an application that would connect one device to another would require WiFi or maybe Bluetooth access. Even for a game that doesn't use online data, but uses ads to generate revenue, would more than likely require data access permissions in order for the ads to be displayed properly. All of these are logical in their operations, because if they didn't have permission to those services, then those specific operations of the application would fail altogether.
So what about rogue applications? It's pretty obvious that a puzzle game wouldn't need access to your call data or your contacts list, so if let's say Bob's Offline Puzzle Game asks for those permissions, then it's very likely that they're not necessary, and are being used for things other than solving puzzles. Now mix those permissions up with network access, and you've got a potential risk on your hands, especially so when sensitive log data is being requested. That permission could allow apps to read other apps that may store credentials such as usernames and passwords, or even credit card numbers, of which aren't that well protected, and can be viewed as plain text.
So how is all of this combated? When installing an app from the Play Store, you are faced with a page that displays all of the permissions that the application in question is requesting, and typically a user would just blow right through the permissions page and to install as soon as possible. Not very many people would sit and read out the permissions thoroughly. Google has done a lot to update their Play Store to put the permission requests right in your face in a big Read Me type of text, but that still doesn't stop someone from hitting that shiny Next button the first chance they find in order to get to the install screen.
Since the crackdown on rogue apps, Google has been gaining more trust from skeptical users like myself about the authenticity of the Play Store's content, but that still doesn't stop developers to ask for more permissions than needed in order to gain a leverage to an agenda. While that remains true, the majority of developers are normal people looking to contribute to Android, and have specific reasons in their permissions requests, which also include quality control so they can know what needs to be updated. There are a more than likely only just a handful of developers who will advertently ask for more permissions access than needed in order to monitor activities that one would deem a privacy risk.
In order to face the question of "Is this trustworthy?", one should look at the following factors in their decision to install an application:
- What do the comments and ratings have to say about the app?
- How many people have installed this app already?
- What permissions are being requested?
- What do these permissions have to do with the app?
- Is this app from a well-known developer?
All of the questions listed above are crucial in the decision factor, and if you can't answer them yourself, feel free to email the developer with those questions. If you don't get a reply right away, don't be disheartened, it's not that they don't like you asking questions, but are probably busy with life and other questions that take precedent. Also, many questions you have may already have been faced in the comments section, so looking through the comments can help you determine if it really is worth your time to install that app. On a final note, leave a comment about any concerns or to give feedback to let people know about your experiences with the app.
Do you have any experiences with rogue apps that exploited the use of permissions? Let us know your stories!