Erika Chin and I have been working with Fortify’s Security Research Group to integrate Android permission warnings into Fortify SCA. Specifically, Fortify SCA now warns Android developers when permissions are missing or unnecessary (i.e., when an application is over- or under-privileged). Here’s an excerpt from the Q4 release notes:
Google Android – Updated support now provides improved detection of underprivileged Android applications, including missing permissions for privileged API calls, as well as sending and receiving intents. In addition, Fortify now detects overprivileged Android applications that request unnecessary permissions. This update introduces three new categories related to privilege management.
Hopefully this will help developers avoid permission errors.
For those of you looking for a free alternative, Stowaway can tell you if your application has extra permissions. Stowaway has the advantage of working on binaries (i.e., libraries), but it doesn’t warn developers about missing permissions (which Fortify SCA does).