So, as part of my other gig I was trawling through looking for some Android root applications to add to my big list of them at Pocketables and I ran across a free children’s painting application in a development thread that had some interesting permissions.
Oh, before I start this I’m going to preface it with this – the scenarios presented at the end have never to my knowledge happened, but they very easily could.
The permissions required by the painting application read as follow:
Your accounts section allows the app to see what accounts are set up on the device such as Facebook, Twitter, etc and to delete them or set up new accounts if there is a need. While this particular app’s permissions did not allow it to pull passwords, it’s possible to discern an email address or Twitter handle.
Your location is pretty scary, this gives away to within a couple of feet where this device is when it’s playing the app. You’ve sold your kid’s location to someone because the app was free.
Network communication full network access allows the app to send and receive whatever it wants, most likely the location data and potentially any account information it was able to grab.
Storage allows the app to place anything it wants onto your device, and test access to protected storage allows the app to see if it can save to the SD card.
Let’s deviate from the actual app I was looking at and assume it also has access to the camera and mic claiming it needs them for your kid to take pictures of something and then graffiti on them as that makes the scenario I’m about to envision scarier.
With these permissions and malicious intent, we can imagine the following scenario:
You get this free kid’s app and your child starts playing with it every single day. Every day this app phones home and reports when your kid is using it, and perhaps it collects commands from home base on what files to grab and send to home and what actions to take next.
Over the course of a few days, the app has uploaded plenty of pictures in the background while your child is playing with your phone or tablet, and a photo you’ve taken of your kid is one of these photos that has been sent.
Using a combo of Google Maps using the location data you’ve provided, account data, etc the company knows who you are and when your kid is at home playing with this app. They’ve now got a pretty decent schedule.
Throwing in my imagined camera and mic permission, the camera comes on whenever they want while your kid is playing and sends real time video to the developers of this app. Perhaps it also streams audio back.
They now know where you live, when you’re home, who you are, what your email address is, and they’ve had a chance to rifle through all the data on the device your kid is using.
Now, the scenarios that can unfold pretty easily are kidnapping, extortion, and framing you for something you didn’t do. The kidnapping is more smash and grab and requires a bit of a bolder move than I think I’ll envision in this scenario, the framing you for something you didn’t do and extorting you is significantly easier and a whole business of Ransomware has popped up in the PC world that does just that sort of crap.
Imagine a photo shows up via postal of your kid playing this game along with a note saying they know who you are, where you are, and they have planted enough incriminating information to put you away with one phone call.
You find with the full internet access and access to protected storage, your tablet or phone is completely full of child pornography that the tablet has been downloading off of your internet connection. They’ve perhaps taken the liberty of some creative Photoshops of you and your kid to make sure that at least you’re going to jail for a few days while a computer forensics expert you’ve hired rifles through the mass of applications in an attempt to discover what happened and your kid has many meetings with the sexual abuse councilors.
Your kid’s been taken away and put in protective custody and after spending quite a bit of time and money proving you’re innocent you’re going to have to deal with the trauma they’ve been through.
They (app people) tell you this scenario and demand a large amount to not ruin weeks of your life based on your income – trust me, they’ll be able to figure that out easily enough. How much are you going to be willing to pay not to have to deal with months of hell clearing your name?
Google and Apple both have inspectors that looks at the applications that go live. But it’s absurdly easy to hide this stuff simply by not activating until after a certain date, and not storing any malicious code in the app itself.
Anyway, be wary of these sort of permissions and make sure to check the permissions of children’s apps before installing. They’re going to bite someone in the ass some day, and it’s cheaper to spend a buck or two purchasing an application than it is to hire people to prove you’re innocent of whatever you’ve been framed for.
Apple and Android can tout their security till the cows come home, but if you see an app requesting things that there’s no reason for it to request, consider the worst case and go ahead and pay a buck for an application you can trust.