A recent change in the policy of the Google Play Store plays developers of rogue apps in the card, claims a developer. Apps after an update, for example, suddenly paid sms sending without users knowing it.
The developer, on Reddit is active under the nick iamtubeman, the test on the sum taken by an app with relatively innocent permissions in the Play Store to convert, and then with much more permissions to update. The Play Store said that there was no additional consent was required for the update and performed the update automatically.
The trick is made possible by a recent adaptation of Google to the way the Play Store handles permissions. Google has permissions are divided into categories, such as location and identity. If an app has access to the category Contacts and Calendar, can that app without the new permission, all permissions get that also fall in that category.
If the app so, for example, asks permission to the accounts on a device to use, he may, without permission, and then all of the contacts read out and the agenda of the user. Because there is no new authorisation is needed, enter the Play Store by default, the update automatically. Even if that is off, it mentions the Play Store that there is no ‘addtionele special permissions’ are needed, while the app so much more permissions after the update.
Therefore, it is possible that developers first app release with relatively innocent permissions and then without much effort a automatic update to run with many more permissions, for example, paid sms messages to send out on behalf of the user. Google has not yet responded to the findings of the developer. The new policy is since last week of power.
Comments
(167)