From: mariasophia@comprehension.com
Jeff Layman wrote:
>> Drat. It crashes every time. Can you (or someone also helpful) test it
>> for the team? It seems like a decent app to get the "real" permissions.
>
> I installed that Contacts app (Vayun Mather) but on running it crashes
> for me too with an error message: "Contacts keeps stopping".
Hi Jeff,
Thanks for adding on-topic technical value to the privacy discussion.
Wow. I appreciate that you tested the app for the team. Most people on
Usenet aren't as helpful as you and I am in that respect. Much appreciated.
Sorry it was a waste of your valuable time, but we saved others' time.
We're trying to solve a very real gap in Android 12+ which is to find a
simple, reliable, on-device app that can list all packages holding a
specific permission (e.g., READ_CONTACTS) without root.
The built-in Samsung permission UI is too coarse, adb dumpsys is too huge,
and the F-Droid "Contacts Permission Viewer" app crashes on modern devices
> I also installed Permissions Summary and ran that, but it seems to give
> less info than my phone Settings info which I posted earlier. For
> example, it reports only FairEmail as accessing Contacts.
>
> I've uninstalled both.
Thank you for testing these two apps, which helps others on the team.
Permission Summary is a lightweight, open source Android app
that helps you quickly check which apps have access to sensitive
permissions on your device ¡X in just a few seconds.
The app only lists user-installed apps and only those with
dangerous permissions. These are permissions Android classifies
as potentially privacy-invasive and require explicit runtime approval.
Permissions Checked:
... snip ...
Contacts - Read, write, or access contact data and accounts
... snip ...
Non-dangerous permissions like INTERNET, POST_NOTIFICATIONS,
and BLUETOOTH are intentionally excluded to reduce noise.
Name: com.simpol.permissionssummary_130.apk
Size: 5070639 bytes (4951 KiB)
SHA256: F1D43B111346C3BB39CCA97DCFA4DDACA778DD9F2422716196ED4E64044B347E
In my tests, it came up with a "Permissions Summary" screen with each of
the types of permissions listed in blue buttons, one of which was
"Contacts" but in my case, it said "11 apps have this permission".
We both know that's dead wrong, but I hit the down arrow and it
brought up the 11 apps that it found with read-contacts permission.
1. Barcode Scanner
2. Barcode Scanner+
3. Calendar Import-Export
4. Etar Calendar
5. Import Contacts
6. Export Contacts
7. GPS to SMS
'8. Pulse
9. SMS Backup & Restore
10. Smart Switch
11. WhatsApp
Each of which, when clicked, takes us to that app's settings
page in the Android settings (which is a nice feature).
These are all
a. User-installed
b. Declared READ_CONTACTS
c. Granted READ_CONTACTS
d. Visible to the app under Android 13's restrictions
But about 60 apps are known by me to be invisible to it.
This is my main strategic-intelligence point about contacts privacy.
Most people who think there is no privacy issue have absolutely no idea
whatsoever which packages have access to their personal contacts.
Including me!
In my case, it doesn't matter because my contacts db is empty.
But the fact is almost nobody is as respectful as I am to our friends and
family so it's very important for other people to understand the point.
There's also three dots at the top right for "Trusted List" but I think it
simply hides apps you check from the main permission-summary screen.
I agree with you if I go to my unrooted Android 13 Samsung Settings >
Security and privacy > Privacy > Permission manager > Contacts
it says "15 of 60 Allowed", which again, we know is a brazen lie.
Interestingly, when I go to that lookup, it crashes the already running
Permissions Summary app, which is interesting but not diagnostic.
What all of us should take out of this is that unless we run an adb
dumpsys, everything we "think" about which packages are accessing our
contacts, is overly optimistic (and hence, it under counts the real privacy
issues). But my dumpsys is over two hundred thousand lines long.
Worse, a simple grep/findstring won't catch all that we want because the
name of the package is an indeterminate number of lines above the string
Package [com.cemique.shortcutwidgets]
... snip ...
"READ_CONTACTS: granted=true"
... snip ...
Package [am.ed.importcontacts] (the next app in the list)
Those who think their contacts "are safe" are not basing that on facts
since, without running adb dumpsys, there is no known reliable way to tell.
If there was, we'd likely know it by now, but what I'll do is ask the
question on the XDA developers web site, which sometimes knows more than we
do here (but most of the time, they know less than we do about Android).
>> In addition, you have Muntashirakon App Manager, which everyone on this
>> newsgroup is well aware of as the best of the best of FOSS Android apps.
>>
>> For any installed app, AM shows:
>> Requested permissions
>> Granted vs. denied
>> Whether the permission is runtime, dangerous, signature, or special
>> Whether it was auto-granted by the system
>> So we can instantly see if an app has:
>> android.permission.READ_CONTACTS
>> android.permission.WRITE_CONTACTS
>> android.permission.GET_ACCOUNTS (related to contacts
>> But of course, that's on an app-by-app basis, so it's good, but manual.
>
> Yes, I had looked at what it reports for permissions, but going through
> hundreds of apps manually was not feasible.
Yup. Thanks for looking. I agree with you wholeheartedly that, while
Muntashirakon App Manager is one of the best apps on Android, it doesn't
output what I want, which is a list of all apps with contacts permission.
Only adb dumpsys does that (to my knowledge).
My main strategic-intelligence point here is if we are to make any rational
Occam's Razor type assessment of the privacy of our contacts, we need to
know two things which almost nobody knows (least of all me) which are:
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
