The Glaringly Huge Holes in Permissions

I don't still use Facebook, and haven't used it for years, but I knew what a huge glaring security hole app permissions were when they were first introduced. I'm sure I wasn't the only one that realized that most apps don't need those kind of permissions. And you should be able to deny them and still use the app. Or at least some of them, as long as it's not key to the app working. If you install a horoscope app, it only really needs access to your birthday. Maybe it may ask your name, but you should have the option of denying it, or giving a false name, if you want, because even the info about names and birth dates of hundreds or thousands or millions of people, tied to their Facebook accounts, could be worth money. But they give every app access to a treasure trove of data without extra permissions needed. Or at least they did back when I used Facebook. Hopefully they improved it. I can only assume that this is due to laziness on their part.

I knew that eventually someone would abuse that data. Actually, I figured quite a few would. That's why today, I assume there are many more companies besides the one that's in the news constantly that have sold their Facebook data. It's only a matter of time before it comes out that another company did, and then another, and another, and another.

There's a potential similar problem with Android. Though, thankfully they have undated their permissions to some degree. I can turn off location and deny it to various apps. Of course, it doesn't stop some apps from regularly nagging me about it. Sorry, I don't want any apps to track my location, so they can fuck right off.

There's an even more concerning security problem with permissions that has gone on for years and yet seems to be completely ignored, browser plugins. I think about it every time I install a plugin and weigh the pros and cons about whether or not I should install something. If it's open source, I'm a bit more likely to. But, it's always a bit concerning.

Say I want to save a bit of money when making purchases online. So I install a browser plugin that watches the pages I load in my browser and spiders them for data on products, suggests a better value at another store, or even suggests coupon codes. The problem is that they get access to every site that you go to through this web browser plugin. This is worse than just the URL of every website, because they are given read/write access to those web pages as you view them. They could use that data to do anything from blackmail to identity theft to plain theft or what-have-you. This sort of access is quite common. You have to give it to ad-blockers. Depending on what the companies log, what the plugin communicates, etc, this could be a huge security hole. Of course, the companies with access to this information may not use it for ill. They could never log it. They could only use it for exactly what they say they do. But if they do log it, and they get hacked...

Not all of these plugins need this level of access. In fact, the example of a shopping plugin could be approved on a case by case basis, depending on the URL. When you go to a URL, the browser could ask you to approve giving access to the plugin based on a list of sites that it's known to work with.

These things don't need the massive access to data that they're given.

Of course, installing an app on a traditional computer gives it unfettered access to all sorts of data on your computer. But then, people would notice if an app was accessing your browser data and communicating with an external server. Well, at least I would hope security experts would. But it's possible they might not.

Things are changing though. We use computers constantly. And we have CPU to spare. We need more security. And companies are only instituting it after a major story breaks about someone abusing the data. And even then, they're often not improving things much.

It's only a matter of time that another story breaks about some major data breach and insufficient security when it comes to permissions.

And I refuse to accept the idea that giving some corporation the rights over what applications I can and can't install somehow makes me more secure. Despite the fact that these companies have more than enough money to hire security experts to examine applications, if not all of them, at least some, they have proven that they are unwilling to spend the money to do so. Yet they are more than willing to limit our ability to look at porn.

I only hope that the next major security problem doesn't make the previous ones look like mere drops in a bucket we're all drowning in.

Every person practically has already had data stolen enough for their identity to be stolen, if it hasn't already. We're just on the cusp right now. I fear what the future holds.

_{Image by wonderferret September 24, 2007 CC BY 2.0 (source)}