Menu
EFF criticizes Google for removing 'vital privacy feature' with Android 4.4.2

EFF criticizes Google for removing 'vital privacy feature' with Android 4.4.2

The new Android update disables a feature that allowed users to revoke permissions for installed apps

The Android 4.4.2 update that began to roll out Monday to Google's Nexus devices removed a feature that gave users fine-grained control over app permissions, prompting criticism from the Electronic Frontier Foundation.

The removed feature was called App Ops and was introduced in Android 4.3. It provided an interface from where users could withdraw permissions they gave apps when installing them. Traditionally, Android users have had to choose between giving an app all permissions it requests or not use it.

The granular permission control provided by App Ops is something that privacy advocates have long requested, since many apps ask for more permissions than they need to provide their main functionality.

In part this is because a lot of apps, especially free ones, bundle advertising libraries that provide a revenue stream for developers. Often the excessive permissions requested by such apps come from those ad libraries.

Last week, Goldenshores Technologies, the developer of a popular flashlight app for Android, settled U.S. Federal Trade Commission charges that it shared users' geolocation information with advertising networks without properly notifying users. The company agreed to disclose to users how it collects, uses and shares geolocation information and obtain consent from them before doing so.

While present inside Android 4.3, the App Ops interface has never been directly accessible to users, but it was easy to gain access to it by installing third-party applications like Permission Manager or AppOps Launcher from Google Play.

In a blog post Wednesday, the Electronic Frontier Foundation, a digital rights watchdog, called App Ops an "awesome" feature and a "huge advance in Android privacy." However, the organization's enthusiasm was short lived, as some users later pointed out that Google removed the feature in Android 4.4.2.

"Today, we installed that update to our test device, and can confirm that the App Ops privacy feature that we were excited about yesterday is in fact now gone," Peter Eckersley, EFF's director of technology projects, said Thursday in a separate blog post.

"The disappearance of App Ops is alarming news for Android users," Eckersley said. "The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago."

According to Eckersley, when contacted by the EFF, Google said the feature wasn't supposed to be released to begin with because it was experimental and its use could break some apps.

The EFF feels this explanation is suspicious and believes that Google should have worked to improve it rather than remove it. The problem of apps breaking down when not given access to information like location data, the address book or the phone's IMEI (equipment identifier) number, could be solved by supplying those apps with dummy data when the corresponding permission is removed, Eckersley said.

Google declined to comment.

The company reportedly tried to block access to App Ops before, with the initial release of Android 4.4 KitKat, but developers figured out how to enable it again.

EFF urged Google to re-enable the App Ops interface and improve it. The interface should be properly integrated into the Settings interface, Android users should be able to disable all collection of trackable identifiers with a single switch and should have a way to disable an app's network access entirely, Eckersley said.

"There are numerous ways to make App Ops work for developers," he said. "Pick one, and deploy it."

Android 4.4.2 also patches two denial-of-service issues, including one involving class 0 (Flash SMS) messages that was disclosed at a security conference at the beginning on December. Bogdan Alecu, the mobile security researcher who found the Flash SMS vulnerability, confirmed Friday that it was fixed in the new Android version.

Users are now in a difficult situation because they will have to choose between updating to the new version which removes the App Ops privacy feature or not updating and leaving their devices vulnerable, Eckersley said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityprivacymobile securityGoogleElectronic Frontier Foundation

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments