EFF criticizes Google for removing 'vital privacy feature' with Android 4.4.2

The new Android update disables a feature that allowed users to revoke permissions for installed apps

The Android 4.4.2 update that began to roll out Monday to Google's Nexus devices removed a feature that gave users fine-grained control over app permissions, prompting criticism from the Electronic Frontier Foundation.

The removed feature was called App Ops and was introduced in Android 4.3. It provided an interface from where users could withdraw permissions they gave apps when installing them. Traditionally, Android users have had to choose between giving an app all permissions it requests or not use it.

The granular permission control provided by App Ops is something that privacy advocates have long requested, since many apps ask for more permissions than they need to provide their main functionality.

In part this is because a lot of apps, especially free ones, bundle advertising libraries that provide a revenue stream for developers. Often the excessive permissions requested by such apps come from those ad libraries.

Last week, Goldenshores Technologies, the developer of a popular flashlight app for Android, settled U.S. Federal Trade Commission charges that it shared users' geolocation information with advertising networks without properly notifying users. The company agreed to disclose to users how it collects, uses and shares geolocation information and obtain consent from them before doing so.

While present inside Android 4.3, the App Ops interface has never been directly accessible to users, but it was easy to gain access to it by installing third-party applications like Permission Manager or AppOps Launcher from Google Play.

In a blog post Wednesday, the Electronic Frontier Foundation, a digital rights watchdog, called App Ops an "awesome" feature and a "huge advance in Android privacy." However, the organization's enthusiasm was short lived, as some users later pointed out that Google removed the feature in Android 4.4.2.

"Today, we installed that update to our test device, and can confirm that the App Ops privacy feature that we were excited about yesterday is in fact now gone," Peter Eckersley, EFF's director of technology projects, said Thursday in a separate blog post.

"The disappearance of App Ops is alarming news for Android users," Eckersley said. "The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago."

According to Eckersley, when contacted by the EFF, Google said the feature wasn't supposed to be released to begin with because it was experimental and its use could break some apps.

The EFF feels this explanation is suspicious and believes that Google should have worked to improve it rather than remove it. The problem of apps breaking down when not given access to information like location data, the address book or the phone's IMEI (equipment identifier) number, could be solved by supplying those apps with dummy data when the corresponding permission is removed, Eckersley said.

Google declined to comment.

The company reportedly tried to block access to App Ops before, with the initial release of Android 4.4 KitKat, but developers figured out how to enable it again.

EFF urged Google to re-enable the App Ops interface and improve it. The interface should be properly integrated into the Settings interface, Android users should be able to disable all collection of trackable identifiers with a single switch and should have a way to disable an app's network access entirely, Eckersley said.

"There are numerous ways to make App Ops work for developers," he said. "Pick one, and deploy it."

Android 4.4.2 also patches two denial-of-service issues, including one involving class 0 (Flash SMS) messages that was disclosed at a security conference at the beginning on December. Bogdan Alecu, the mobile security researcher who found the Flash SMS vulnerability, confirmed Friday that it was fixed in the new Android version.

Users are now in a difficult situation because they will have to choose between updating to the new version which removes the App Ops privacy feature or not updating and leaving their devices vulnerable, Eckersley said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityElectronic Frontier Foundationprivacy

More about AppleEFFElectronic Frontier FoundationFederal Trade CommissionGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts