Automatic updating of Android apps becomes riskier
Google has made unwelcome changes to the way new app permissions are disclosed to users: no warnings will be shown if a new permission if is in the same category as an old one that has previously been accepted.
The change has been introduced with the recently released new version of the Play store app, and has apparently made to streamline the installing of updates and to avoid confusing users.
With this update, a user who has previously permitted an app to access the device’s coarse GPS location will not be notified when the new version of the app starts collecting information about the device’s fine location, as both permissions belong to the same category.
Similarly, an app that initially only had the permission to read the call log could now be updated to initiate phone calls without the user’s knowledge. Or if it originally was permitted to read the contents of the SD card, it can be updated to write to it. Find out more about the different permission groups here.
“Unfortunately, most groups contain at least one ‘innocent’ or common permission that many apps on the Store use next to some more nasty ones,” noted a software developer that goes by the online handle “Tubeman,” who created an app named Permission Tester to test for this “latest Google security screw up.”
If you are not comfortable with this new change, you can prevent it by turning off auto-updates for specific apps by opening the Play Store app, touching the app’s icon, selecting “My Apps”, selecting the app, and unchecking the box next to “Auto-update” in the Menu.
A second “improvement” announced by Google makes the “full Internet access” permission disappear from the primary permissions screen and get automatically approved.
“These days, apps typically access the Internet,” Google explained, and says that Google Play’s app review systems already check all apps for abuse of these access permissions.