- What does permission «MANAGE_ACCOUNTS» mean?
- 2 Answers 2
- A Guide To Understanding Android App Permissions (& How To Manage Them)
- What Are App Permissions?
- 5 Permissions You Should Be Wary Of
- 1. Location
- 2. Phone Status And Identity
- 3. Read And Modify Your Contacts
- 4. SMS And MMS-Related Permissions
- 5. Account-Related Permissions
- Ways To Stay Safe
- Managing App Permissions
- Permissions Manager Apps
- Revoking App Permissions
- Permissions Manager Apps (Rooted)
- Conclusion
What does permission «MANAGE_ACCOUNTS» mean?
Once in a while I read that MANAGE_ACCOUNTS Permission is needed (actually it is called «KONTEN HINZUFÜGEN ODER ENTFERNEN» as I have a German phone. I guess the text below is something like «Add or remove accounts, create accounts and set passwords, use accounts on the device» in English).
I’m asking this question because I wanted to install the GitHub-App.
I think I found a very similar question which I would like to include here:
- What does it mean they can create accounts?
- Why would Amazon (Kindle app) / GitHub even need this?
- Are there any risks?
2 Answers 2
In short, GitHub is using the internal Account System manager to store your GitHub credentials. This works the exact same was as adding a Google account or an Exchange account. Essentially, you are logging in with your credentials and they are stored in the Account Manager, which prevents you from having to re-enter these credentials again in the future.
This is most useful when the credentials are used across multiple applications as you only have to login once. For example, Google Chrome will access your account via the Account Manager instead of forcing you to login again (the yellow dialog that pops up at the bottom asking if you want to sign in with your locally held Account on your phone when visiting gmail or another Google website on your phone’s Google Chrome browser).
What does it mean they can create accounts?
They can created local accounts on your phone for their application (and only their application). Here’s an example of a list on my phone:
Screenshot (Click image for larger variant)
Why would Amazon (Kindle app) / GitHub even need this?
There shouldn’t be. If an app uses the AccountManager and say, wants to use your Google account, then it will have to explicitly ask you for permission as it needs an auth token to use that account. See more info on the SDK documentation.
To manage accounts, Android uses several permissions; some of them are easily misunderstood. A very good explanation on using accounts can e.g. be found in Dan’s answer on the question What can an app do with the “USE ACCOUNTS ON THE DEVICE” permission?. Let me try to sum up the permissions involved and what they mean:
- ACCOUNT_MANAGER: This permission is reserved for system apps. An account-manager is the service working behind the scenes and taking care everything works as expected.
- AUTHENTICATE_ACCOUNTS: An app using this permission usually provides an interface to deal with a certain account type (which is not known by the pre-installed Android system), such as Dropbox. As shipped, Android does not know how to login to Dropbox and how to deal with a Dropbox account – so the Dropbox app provides the mechanism. Additionally, an «account authenticator» might restrict the actions an app can perform with the account (so it would e.g. be possible to administrate this via some web interface offered by the service).
- GET_ACCOUNTS: Obtain a list of available accounts. This way an app which wants e.g. to use Dropbox for storage can check if a fitting account is available. It must verify this before using it.
- MANAGE_ACCOUNTS: The API documentation is not that clear about this permission. But according to Bryans answer, an app can only delete/modify an account it created itself. Of course it can create any new account, and manage that.
- USE_CREDENTIALS: This app may use the «credentials» to log into an account. In most cases, «credentials» just means the corresponding authenticator creates a fitting token and hands that over (though, how to deal with that is left to the authenticator). When using an account for the first time, the Account Manager should make sure the user is asked whether he permits this. Again, Dan’s answer explains this part well.
I hope I was able to shed some light. This was something which made me nervous as well, so I took two days to dig into it. If I got something wrong, please point it out in the comments so I can correct it.
Источник
A Guide To Understanding Android App Permissions (& How To Manage Them)
Apps dominate our usage of smartphones and while Apple’s App Store has stringent criteria for apps to get in, Google’s Play Store is relatively more lenient. As an Android app user, you should be aware of the type of data the apps you use are taking from you.
On top of that, you will need to start reading up on the «permission slips» you have been giving apps that you download to your phone, or risk opening yourself up to major privacy and security issues.
In this guide, we will be highlighting some of the app permissions you need to pay more attention to, and which are valid permissions that apps are obligated to ask for.
With a bit of vigilance, it’s entirely possible to minimize risks by learning how to better manage your app permissions (and to revoke them if necessary). Here’s a look into Android app permissions and what to do about them.
What Are App Permissions?
First things first, Android app permissions aren’t requests, they’re declarations. Unless you’re rooted, you have no say – short of choosing to not install the app – in whether the app will receive all the permissions it requires.
When you install an app from the Play Store, you’ll get a pop up listing all the permissions that the app requires, things like access to your storage, phone calls, network communciation etc. Read through this list.
It’s all too easy to treat the permissions list like an EULA (which nobody ever reads) but skipping over these permissions could mean the difference between having your data securely on your device or having all of it at the fingertips of unscrupulous app developers.
5 Permissions You Should Be Wary Of
There are a few permissions that you should be wary of, not because they’re necessarily dangerous, but because there could be wide-ranging repercussions if data from these permissions were to fall into the wrong hands. Note that these aren’t the only permissions you should worry about – it’s a start.
If you want to know more, check out the list and discussion of Android app permissions by AndroidForums.com user Alostpacket. There’s also a detailed list of permissions on the official Android Developers page. Most of the recapped information here comes from both resources.
1. Location
There are two types of location permissions that Android applications can require: «approximate location (network-based)» and «precise location (GPS and network-based)».
What would apps need my precise location for? Well, navigation apps like Waze will require such information to work. Similarly social media applications want to include your location in photos and uploads. Crucially, applications which implement location-based advertising will also need access to such information. It’s just one of the many sacrifices you have to make when using a free, ad-supported app.
2. Phone Status And Identity
This is a bit of a problematic permission, because «read phone status and identity» encompasses everything from something as innocuous as needing to know when a phone call is coming in, to having access to crucially important data such as your device’s IMEI number.
While this permission is often safe, the potential for wrongdoing is huge, so do exercise caution when apps require this permission. If there doesn’t seem to be any real reason for the app to require this permission, it might be a good thing to think twice before installing it.
3. Read And Modify Your Contacts
These permission to «Modify your contacts, read your contacts» gives an app unfettered access to your contacts’ data. While both can be problematic, the «modify» permission is especially dangerous since it would let an app read all the contact information you have on your phone. This includes how often you communicate with particular contacts.
SMS apps, contact management apps, dialer replacement apps and even some social media apps will need one or both of these applications, but apps without any social aspect to them have on reason to require this.
4. SMS And MMS-Related Permissions
These permissions could potentially cost you a lot of money, if malicious apps use these permissions to send illegitimate SMSes or tack on extra charges onto each SMS and MMS you send.
The «read your text messages» and «receive text messages permissions» can also potentially result in your privacy being compromised. If there’s no real reason for an app to require these permissions, avoid it.
However, there are perfectly valid reasons an app would require these permissions, especially if it’s an SMS app. Again, a bit of reasoning should save you from having to deal with any issues related to this permission.
5. Account-Related Permissions
«Find accounts on the device» lets the app check with Android’s built in Account Manager on whether you have any accounts on services such as Google, Facebook and so on.
«Use accounts on the device» lets the app ask for permission to use the account. Once this permission is granted, the app won’t have to request it again; the concern, of course, comes if the app is malicious and continues to do things in the background in your name.
Another related permission to watch out for is «create accounts and set passwords», which lets the app authenticate credentials. A malicious app can take advantage of this permission to get your password by phishing you.
Ways To Stay Safe
There are a few things you can do to stay on top of app security.
1. The best way to stay safe is not to immediately avoid any apps that require problematic permissions but instead, to look at the app itself and use reasoning to figure out whether the app really requires these permissions.
2. You can also send an email to the developer asking about the permissions. If the reply isn’t satisfactory, or if you don’t get a reply at all, then you should most probably give the app a miss.
3. You should also take advantage of the huge Android community if you’re unsure about the security of a particular app. Read reviews on the Play Store and check forums and Android-centric news sites to see if there have been any complaints about the app recently. It’s a bit of work, sure, but better be safe than sorry.
Managing App Permissions
If you’ve let apps have access to any of your accounts such as Facebook or Google, it’d be a good idea to go to your account settings and manage your account permissions, if the website has such a feature.
You can also check what permissions certain apps have by going into Settings > Apps. Just select an app and scroll down to see the permissions it has.
Permissions Manager Apps
You can also use an app such as Permission Explorer, which lets you filter by categories, apps and permissions, and can give you a much more detailed breakdown of the permissions granted to the app. Other similar apps you can try are App Permissions and Permissions Manager.
Regardless of the app you choose, spending some time going through the permissions of apps currently installed on your Android device should help you establish whether there are any apps with problematic permissions that need to be revoked or perhaps even uninstalled entirely.
Revoking App Permissions
Once you’ve found some offending apps, it’s time to decide on a course of action. There’s currently no built-in way to manage app permissions in the latest version of Android, since Google chose to remove the AppOps feature from Android 4.4.2.
However, if you’re still running Android 4.3, it wouldn’t hurt to give AppOps a go to see if it helps you access the built-in permissions manager.
If you’re running stock, unrooted 4.4.2 (or a version prior to 4.3), you’re pretty much out of luck when it comes to revoking app permissions short of completely uninstalling the application. However, if you are rooted, then you have a few more options.
Permissions Manager Apps (Rooted)
If you have the Xposed Framework installed, you can give XPrivacy a go. XPrivacy is one of the best permissions manager applications available, letting you tweak, block and revoke almost every permission an app might require. You can also use the XPrivacy Installer to help you install both Xposed Framework and XPrivacy itself.
If you’re willing to install a completely new ROM, or plan to do so anyway, there are also certain custom ROMs that come with permission management features built-in.
The popular CyanogenMod has a Privacy Guard feature which, as of last year, comes with Android 4.3’s AppOps integrated into it. Other ROMs such as Purity ROM also have a similar feature.
Conclusion
It’s hard to deny that, by default at least, Android’s privacy and security settings are a bit lacking. Between occasionally confusing permission names, to an inability to selectively grant permissions, this is definitely something that Android should work on.
However, even with these issues, it’s still entirely possible to stay on top of things and ensure the security of your data by being vigilant about the apps you install and the permissions that these apps require. After all, it’s your data on your phone – you have control.
Источник