In addition, the location information request is also
expected since the location is used to retrieve the forecast
for the user’s current location. The phone state and
identity permission is suspicious but is used by a lot of
applications to check on phone status, like weather a voice
call is in progress. For example, a music player app would
use the phone status to mute the sound during the voice
call. On the other hand the identity information is
sometimes used to register the users that purchased an
application in order to reduce the piracy. Unfortunately,
this is an example of poor permission grouping since the
applications that need to check on status often do not need
to access the sensitive identity information, like IMEI or
IMSI. Furthermore, the Android 1.6 applications are
automatically assigned the phone state and identity
permission. Since this permission is widely used, the user
will be less suspicious if an application requests it.
Acquiring the phone status and identity permission allows
the World Weather application to pair the identity
information with location information, i.e. link the user
and location. By acquiring this information, the attacker
can easily monitor the mobile device user’s movement.