New Play Store Alert
New Google updates have made Android safer and more secure than ever before. This week’s identity check update, protecting your data even if someone has your pin, is just the latest advance. And Android 15 — now finally making its way to Samsungs — finally closes the gap on the iPhone. But it’s not all good news – there’s one major issue that’s keeping Android materially stuck behind the iPhone, and it needs to change.
We are talking about permission abuse, which has always been a serious threat to users. A new report is just the latest “alarming” wake-up call, “Uncovering Alarming Security and Privacy Concerns.” This latest research has also exposed “coded secrets embedded within some applications … which pose a serious risk of unauthorized access and data breaches.”
The report is from Leakd, which investigated the “Top 51 Crypto-Downloaded Apps from Google Play.” The team’s focus was how these apps “manage permissions, network configurations, embedded trackers, and encrypted secrets.” And their findings “are surprising and disturbing; Many apps go overboard by asking for unnecessary permissions, show glaring security vulnerabilities, and don’t adhere to even basic privacy standards, putting you at significant risk.”
Crypto apps – number of trackers found
iPhones are far from perfect, but they are better. The hope is Google’s new live threat detection is the start of a crackdown on device permission abuse. But I’m afraid it isn’t – at least not yet. This report follows a similar one from last year that looked at some of the most popular apps overall, and found much of the same. I have asked Google for any comments on these latest findings. Clearly, something has to change.
Leakd says that “These vulnerabilities are not just theoretical. Excessive permissions and insecure configurations can lead to: data theft – Sensitive user information, including identity documents and private keys, can be intercepted; Account takeover – Encrypted secrets and weak authorization checks give attackers easy entry points; and privacy violations—overuse of trackers undermines user anonymity, exposing personal activity to third parties. “
Trackers and permissions are easily understood, “Silently collecting data about how you interact with an app — and sometimes your activities outside of it as well … trackers often go unnoticed, harvesting information that can paint an intimate picture of your behavior, habits, and preferences.” It is this abuse behind the collection of sensitive location data that prompted the NSA to warn users to turn off such settings and enable a alarming data breach earlier this month.
But Leakd also looked at exposing the app’s code. “While trackers quietly collect data in the background, encrypted secrets pose a more overt and critical threat to your security. These embedded secrets—including API keys, authentication tokens, and sensitive system configurations—are baked directly into the code of the application. If exposed, they provide attackers with a direct path to compromise critical systems, gain unauthorized access, or manipulate APP functionality.”
Crypto Apps – Number of permissions per app
This is worrying, but it is permission abuse that is the most serious and widespread threat – and should be the easiest problem to solve. We can see the permissions each app is asking for, and AI-driven protections still aren’t successfully asking why. “One of the most troubling issues identified was the large number of permissions requested by the apps. On average, each app requested about 22.9 permissions, with some going as high as 45 … these excessive permissions create a large attack surface, making you more vulnerable to exploitation. “
Given the sensitive nature of these crypto apps, Leakd recommends you do the following:
- Be permission aware: Before installing an app, check the permissions it requires. Avoid apps that ask for unnecessary permissions.
- Opt for secure options: Choose apps with a proven track record of security and transparency.
- Use separate wallets: Avoid storing large amounts of crypto in applications with questionable security. “
You should also limit the number of these apps you keep on your phone – you certainly don’t want to collect multiple apps highlighted in the report to compound the risk. You should also check each of the apps you have for access to sensitive permissions. This means location, phone and message data and access to content such as contacts that is not necessary for the core functionality of the app itself. I have reached out to Google for any comments on this latest report.
