New Play Store warning
Google’s new updates have made Android safer and more secure than ever before. This week’s identity check update, protecting your data even if someone has your PIN, is just the latest advance. And Android 15 — now finally making its way onto Samsungs — does finally narrow the gap to iPhone. But it’s not all good news — there’s a major issue that is keeping Android stuck materially behind iPhone, and it needs to change.
ForbesSamsung’s Android 15 Update—Bad News For Galaxy S24 OwnersBy Zak Doffman
We’re talking permission abuse, which has always been a serious threat to users. A new report is just the latest “alarming” wake-up call, “uncovering alarming security and privacy concerns.” This latest research has also exposed “hardcoded secrets embedded within some apps… which poses a serious risk of unauthorized access and data breaches.”
The report is from Leakd, which investigated “51 top downloaded crypto apps from Google Play.” The team’s focus was how these apps “manage permissions, network configurations, embedded trackers, and hardcoded secrets.” And their findings “are both surprising and concerning; many apps overreach by requesting unnecessary permissions, show glaring security weaknesses, and fail to adhere to even basic privacy standards, putting you at considerable risk.”
Crypto apps — number of trackers found
iPhones are far from perfect, but they’re better. The hope is Google’s new live threat detection is the beginning of an on-device permission abuse crackdown. But I fear that it’s not — at least not yet. This report follows a similar one from last year that looked at some of the most popular apps in general, and found much the same. I have asked Google for any comments on these latest findings. Clearly, something needs to change.
Leakd says “these vulnerabilities aren’t just theoretical. Excessive permissions and insecure configurations can lead to: data theft — sensitive user information, including identity documents and private keys, can be intercepted; account takeovers — hardcoded secrets and weak authorization controls provide attackers with easy entry points; and privacy breaches — overuse of trackers undermines user anonymity, exposing personal activity to third parties.”
Trackers and permissions are readily understood, “silently collecting data about how you interact with an app — and sometimes even your activities outside of it… trackers often go unnoticed, harvesting information that can paint an intimate picture of your behavior, habits, and preferences.” It’s this abuse that is behind the collection of sensitive location data, that promoted NSA to warn users to disable such settings and enabled an alarming data breach earlier this month.
But Leakd also looked into app code exposure. “While trackers quietly collect data in the background, hardcoded secrets present a more overt and critical threat to your security. These embedded secrets — including API keys, authentication tokens, and sensitive system configurations — are directly baked into the app’s code. If exposed, they provide attackers with a straightforward route to compromise critical systems, gain unauthorized access, or manipulate app functionality.”
Crypto apps — number of permissions per app
That’s worrying, but it’s permission abuse that is the more serious and widespread threat — and should be the easier problem to solve. We can see the permissions each app seeks and AI-fueled defenses are not yet successfully asking why. “One of the most disturbing issues identified was the sheer number of permissions requested by the apps. On average, each app requested around 22.9 permissions, with some going as high as 45… These excessive permissions create a large attack surface, making you more vulnerable to exploitation.”
Given the sensitive nature of these crypto apps, Leakd recommends you do the following:
- “Be Permission-Conscious: Before installing an app, check the permissions it requests. Avoid apps asking for irrelevant permissions.
- Opt for Secure Options: Choose apps with a proven track record of security and transparency.
- Use Separate Wallets: Avoid storing large amounts of cryptoassets in apps with questionable security.”
ForbesTikTok Ban—A New Nightmare For iPhone, Android Users Is Coming TrueBy Zak Doffman
You should also limit the number of these apps that you keep on your phone — you certainly do not want to collect multiple apps highlighted in the report to compound the risk. You should also check each of the apps you have for access to sensitive permissions. This means location, phone and messaging data, and access to content such as contacts that is not needed for the core functionality of the app itself. I have reached out to Google for any comments on this latest report.
