Control Android app permissions with NativeWrap

Tired with using mobile apps that demand unneeded permissions that open the door to data collection and worse? Researchers from North Carolina State University have come up with a brilliant solution to the problem.

It’s called NativeWrap, and is unfortunately currently available only for Android.

Until now, Android and other smart phone users could either access sites via the web browser (and expose themselves to tracking cookies) or use an app that usually asked for unnecessary permissions that could end up exposing private data or creating other security concerns.

“The current state of the smartphone application ecosystem leaves privacy conscious consumers with a dilemma: either use the app while being aware of the privacy risks, or do not install the app,” the researchers pointed out, adding that many of them sometimes end up deciding that an application’s benefit outweighs its privacy risks.

NativeWrap is now gives them a third option – using the app and being in control of its permissions.

“When a user is visiting a Website in the phone’s browser that she would like to run as a native app, she ‘shares’ the URL with NativeWrap,” they explained. “NativeWrap then ‘wraps’ the URL into a native platform app while configuring best-practice security options. In effect, NativeWrap removes the third-party developer from the platform code, placing the user in control.”

It also provides phishing prevention. “By using a native platform app, the user can be trained to always use the phone’s application launcher to access security sensitive services,” the researchers note. “NativeWrap also pins the wrapped Website to a specific domain to ensure embedded elements (e.g., ads) do not redirect the user to a malicious site.”

The default permission that it gives a wrapped app is that for establishing an Internet connection. Additional functional permissions can be chosen by the user.

Other great things about NativeWrap: it ensures proper SSL verification, and adapts HTTPS Everywhere to allow the user to force SSL within the wrapped website; and makes a separate cookie store for each wrapped website to limit privacy loss when the same ad firm is used on many websites.

The solution has its limitations. The researchers have manually tested it with the top 250 Websites in the world (according to Alexa.com) and have discovered that NativeWrap is completely compatible with websites that still work on HTML4, and mostly compatible with those that use HTML5.

For more information about the solution, check out the researchers’ paper.

More about

Don't miss