Reply to post:

Cryptocurrency-crafting creeps crept crafty code into Google App Store

Lee D Silver badge

I would argue that "I have been given permission to do X" is metadata that you don't want the program to have.

An example - an app is malicious, but only if it is given the permission - i.e. it does use the camera but only if people actually click Yes. Or it only says it uses the camera when it's scanning a QR code but actually opens it at other times too. Otherwise, so it claims, it doesn't. If you go about just denying the permission to it, it will keep quiet. If, however, you say "Fake permission" and then it gets what looks like a valid video stream, maybe it will try to use the camera illicitly. The only way to tell is if the "fake" camera then reports "hey, I'm actually being used".

Similarly for storage... you give it "fake" storage and then it complains each time you start that it's the first time it's run - because without the persistent storage, it doesn't know.

It doesn't add much, but it stops the "To install Facebook which everyone else has, you need to allow this permission or it just stops when you load it", meaning users will then just give it that permission. And the cost? Minimal. A fake camera source, a RAM disk or fs overlay, a fake NMEA stream. I guarantee you those are already present for testing anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020