Automatically updating Android apps could get riskier thanks to a change Google developers have made to the way the OS discloses new app permissions, such as the ability to send potentially costly text messages or track a user's precise geographic location.
Previously, automatically updated apps displayed explicit details when a new version gained additional privileges. For example, an app that previously tracked only coarse GPS coordinates would warn users if an update would begin receiving fine coordinates. Similarly, a newly assigned ability to send SMS messages would also be disclosed. Under changes implemented through the latest Play store app, neither new privilege is displayed if a user has previously accepted any other permission in the same category as the new permission. In other words, by accepting one permission from a category, users agree that every other permission in that category can be added without notification in future updates.
The change is an attempt by Google to streamline and simplify the process of installing updates. Rather than providing lengthy details many users likely don't understand, the new permission disclosure is much less verbose. Permissions are indicated only by a very general category such as Location, SMS, or Contacts/Calendar. Users who want to track precisely how a permission may have changed must click the category to see if specific new capabilities have been added. As a result, an app update that replaces coarse location with fine location simply shows the location category. End users must manually drill down to learn of the change.