“I will open the door to your house, search through your room, turn everything upside down and then just go away. May I? Pretty please?”. And then you would just say “Yes!”, which in social network terms would read as “Allow”. Would you? Really?
Ever heard of banner blindness? Well, it’s the name people working in the website usability domain have coined for the situation in which, no matter how big, colorful or animated a banner is, people will still disregard the information it contains. I bet we can talk about a similar type of blindness in the case of the Permissions box that is displayed before the installation of an app on a social network account.
Do you remember what permission requested the last app you installed? Can you blame anyone for missing anything on that list? Not really, I would say. There’s a bunch of pretty bland text portions and a set of icons that are supposed to indicate what each permission enables the app to do with specific parts of your data. Not the most captivating piece of reading, unless you take the time and make some deductions of this type: “So, what can happen if I allow you to send me e-mail?”.
Let’s take a peek at what’s in your apps’ closet. Don’t know where that is? I hope you like the Hansel and Gretel story, ‘cause we’ve got quite a long way to go. Take the Account-> Privacy Settings path:
Stop at the Apps and Websites roundabout.
Then click Edit your settings and you’ll get to the list of Apps you use. Click Edit settings again.
Hang, on, just one more step to go!
Edit Settings once more and there you have it: the list of permissions the respective app required.
By the way, this little trip through the Privacy Woods will come in handy if you ever decide you want to part ways with an app that’s gotten too annoying (see the Remove app button? A true forget-me- not!).
Let’s just make a little picnic stop and feast our eyes on our Permissions. The first two are required by the social platform and they allow for you to be clearly identified. The Post to Wall permission is there to allow the app to communicate to you either by means of warnings about suspicious items or through statistics on the activity in your account. The last three permissions are connected to the actual safety of your account, as BitDefender safego could not do its job unless it were able to “see” your posts and scan any suspicious link at any time.
Here comes your question: “Isn’t there a fixed set of permissions that an app can require? How will this help me tell the good from the bad?”.
“Correlation”, would be my answer. Carefully consider what the app promises to deliver (“who viewed your profile”, “first status”, etc.) and how plausible such promise is. For instance, if they promise you the Moon, ask your dear friend the Internet about whether that is possible or not (i.e. what say you, my browser of choice, is it possible to find out who viewed my profile on Facebook in the past two months?). You may find that the promise is false or that it is true, but that it can be easily used as a bait (this is where you can apply the “too good to be true” rule) or simply that other people have had their doubts about that problem. Sounds complicated, but it’s actually a couple of minutes’ work.
Practice makes perfect, so here are some of examples of how you can “read into” permissions and their consequences when they are requested by bad apps.
Send me e-mail.Your e-mail is very valuable for spammers. Two things should be kept in mind here: first, social network applications are entirely cloud-based, which means that they use their own cloud (Facebook applications are not developed by Facebook unless so specified); second, it is impossible to control what happens to the data that goes into the cloud. This means that your e-mail, for instance, may end up in the wrong hands, namely spammers’.
Access my basic info.Worst case scenario? Together with you e-mail address your basic info can help spammers create customized messages that are likely to hit some soft spots in point of likes, interest and so on. And we’ve got evidence to back that up! Some BitDefender honeypots have already caught spam sent to e-mail addresses collected by the infamous “see who viewed your profile” scam.
These two permissions may be quite intrusive, but you should not forget that they’re absolutely necessary for the operation of a whole army of legit apps. Once again, just apply our simple “correlation” rule.
Manage my pages.Just as in any classic story, this permission can become quite a dangerous tool if it ends up in the wrong hands. Why is that? Because you will then see the bad app having requested it turn into your loquacious spokesperson on all of the pages you’ve ever liked …quite a pest. However, if it’s there, then there must be something good about it as well. Right you are. It would only be logical, for instance, for an app that acts as an analytics interpretation tool to request it.
Post to wall.I guess you’re already familiar with the effects of this permission when it’s abused by bad apps. All of our social scam reviews so far have made at least one reference to the tons of unwanted messages such an app could post on your wall as well as on your friends’. In good app land, on the other hand, this allows legit apps to post interesting or useful info that the user has expressly agreed to receive and read.
Access my data anytime.When misused, it can be equated to allowing strangers to keep an eye on what's happening in your house at all times. Any Big Brother shivers down your spine? This would allow the creators of tricky apps to send their message out at the right moment …Do you really want that?
Don’t forget that BitDefender safego is there to keep your social network account safe from harm.
Happy sharing, everyone!
This article is based on the technical information provided courtesy of George Petre, BitDefender Threat Intelligence Team Leader
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.