I am a hardware engineer with some limited software knowledge. I am ULTRA paranoid when it comes to security and have a few questions:
1) People do seem to be paying attention to app permissions now. If an app only had network and storage access permissions, people would probably think it seemed pretty tame. Am I wrong in thinking this is probably the most dangerous an app could be? With these permissions it seems that the app could siphon EVERYTHING off your phone to their servers.
I guess my question would be, do Apps that have read/write storage access, have at the very least read access to all files? For example, it seems that my music app can scan for music, which is fine obviously, but what is stopping it from scanning ANYTHING else on my phone? Like business related documents, private notes, etc...then uploading these to their servers.
2) If an app only has network access, but no access to storage, I assume it would have no ability to add anything malicious locally after installation (or transmit anything off your phone)? Basically, can an app load malicious code from the network?
3) One nice feature on the iPhone is that a full reset actually does a decent job protecting your data. On Android this is not the case. Does Android device encryption actually encrypt everything (i.e. starting from the root (/) directory)? If this is the case, I would assume that a full device encryption, followed by a factory reset would nearly be akin to running a dd urandom on the drive.
4) Google seems to be stepping in the right direction with the new App Ops in Android 4.3. I am not sure what direction they will be taking this, but currently on my Nexus 7 it does not allow you to prevent access to storage or the network (for example I would like to block Final Fantasy from having network access and Weather Bug from having storage access).
Regardless, can an app automatically run on installation? The reason I ask is let's say you are downloading a seemingly benign app, but it really wants to make a dump of personal data and send it to their servers. If I download the app, could it start doing this immediately, or would I need to manually launch it first? If this was the case, then App Ops would not be very useful against certain malicious apps if they have the 1-2 minutes to dump off your contacts list before you could shut them off in the menu.
1) People do seem to be paying attention to app permissions now. If an app only had network and storage access permissions, people would probably think it seemed pretty tame. Am I wrong in thinking this is probably the most dangerous an app could be? With these permissions it seems that the app could siphon EVERYTHING off your phone to their servers.
I guess my question would be, do Apps that have read/write storage access, have at the very least read access to all files? For example, it seems that my music app can scan for music, which is fine obviously, but what is stopping it from scanning ANYTHING else on my phone? Like business related documents, private notes, etc...then uploading these to their servers.
2) If an app only has network access, but no access to storage, I assume it would have no ability to add anything malicious locally after installation (or transmit anything off your phone)? Basically, can an app load malicious code from the network?
3) One nice feature on the iPhone is that a full reset actually does a decent job protecting your data. On Android this is not the case. Does Android device encryption actually encrypt everything (i.e. starting from the root (/) directory)? If this is the case, I would assume that a full device encryption, followed by a factory reset would nearly be akin to running a dd urandom on the drive.
4) Google seems to be stepping in the right direction with the new App Ops in Android 4.3. I am not sure what direction they will be taking this, but currently on my Nexus 7 it does not allow you to prevent access to storage or the network (for example I would like to block Final Fantasy from having network access and Weather Bug from having storage access).
Regardless, can an app automatically run on installation? The reason I ask is let's say you are downloading a seemingly benign app, but it really wants to make a dump of personal data and send it to their servers. If I download the app, could it start doing this immediately, or would I need to manually launch it first? If this was the case, then App Ops would not be very useful against certain malicious apps if they have the 1-2 minutes to dump off your contacts list before you could shut them off in the menu.
Facebook
Twitter