Android apps with "dangerous" permissions

This post was originally on Posterous, and I had forgotten to transfer it when they shut down, so I've put it back up here for anyone looking for it

I decided to take a look at the top 20 free and the top 20 paid apps showing in the Android Market, and see what permissions they used. It soon became clear that there are certain "dangerous" permissions which are commonly requested, but it's not so clear if they are being used in dangerous ways, or merely using them to perform necessary functions of the apps.

In particular, I looked at the following functions:

There were some distinct differences between the permissions requested by free apps and by paid apps, although the sample set isn't big enough to claim this is always the case, or even more common. In general, free apps in this sample asked for more permissions - there was only one app which didn't request any permissions in the top 20 Free Apps (Adobe Reader) - with Net Access being by far the most requested permission, with 17 of the 20 free apps requesting it. 4 of the apps appear to use this only for advertising downloads, which would explain why fewer paid apps request it - they don't need to run adverts to cover costs.

For paid apps, net access was still the most requested permission, with 10 apps wanting it. However, the use of it appears now to be to provide online highscores, rather than advertising. However, there were 7 paid apps which didn't request any permissions. This seems far too great a difference from the free apps to be accurate, but the reason becomes clear upon further inspection: several of these apps are unlockers, which modify the behaviour of a free app in some way, usually by disabling adverts or adding additional features. As such, they don't need permissions themselves - they need for the corresponding free app to be able to find them.

The main problem with this type of analysis is that it requires some manual work in determining whether the purpose of the app fits with the requested permissions: two apps requested 8 "dangerous" permissions (and a number of other ones too), which by sheer numbers makes them seem potentially dangerous. In fact, one of these apps was an AV package, and the other a messaging replacement system, so in both cases, most of the requested permissions could be obviously seen as required to fulfil the core functions of the software. Further, none of the apps surveyed requested permissions from the above list which didn't appear to be required either for core functions, or for obvious secondary functions (usually advertising, but also online high scores and minor feature support). This isn't to say that they aren't using them for other reasons, but if they are, the developers are using the same permissions as required for default operation.

Still, it seems that fears of apps using excessive permissions are unfounded, as far as the most commonly used apps go, anyway. That probably means that your average user, sticking to top ranked apps, is probably fairly safe as far as data loss or unexpected costs go.

This type of analysis would be easier if there was a search API for the Market, providing the ability to search by permissions requested, but there doesn't appear to be any such API. If anyone knows differently, please let me know! The closest I've seen is at www.cyrket.com, which provides a number of forms of analysis, but most concentrate on the ratings, comments and pricing structures.

The apps surveyed in this sample were:

The data can be seen at https://spreadsheets.google.com/a/bleurgh.net/spreadsheet/pub?hl=en_US&hl=en_US&key=0AjpND29J75IEdFRjWFBCTkw3LWYwWFc1eG9ocVJIbEE&output=html

All data was collected on 22nd July 2011, using the web based Market Browser from a UK IP address