[MUSIC] The idea of privileges should be something that's very well understood by an Android developer. Android has this really nice system of permissions which you can think of as a privilege. Just like you have to worry about in Android what permissions you have, the idea of least privilege is focused on the same thing. That is you don't need to ask for more permissions than you should have. You don't ask for more or use more privileges than you actually need to get something done. Now, this is going to be one of the most straightforward examples because it has a very clear mapping into Android. And we're going to take a look at the least privileged principle in Android in the context of our login activity. So, this is the same example that we've been running through before. We have a login button, we can e-mail and password. For this example, we've gone and stripped out a few things. We've stripped out the reset password link email, we've reset the registering of an account and gotten rid of that. So we're going to focus in on just the login mechanism. Now one of the things that's happened in this. Is the developer of this app decided, you know what? It would be really nice if I could audit and collect statistics on the zip codes that people are logging in from. When they're using this app. I'd like to be able to know the geographic distribution of my users. Where they use this. And I'd like to do it based on zip code. This is something that this user has decided to do to make it simple. Now what they've done is they've gone and implemented, they've removed this other stuff. So all we're checking for is if they clicked the Login button. And what they're going to go and do is they're going to use this special location helper that they've created. Which uses the GooglePlay location services to get the address where the phone currently is. And so what's going to happen is they're going to go and get the address of the user's current location. And once that address is found. And this is going to be happening asynchronously. So that you'd probably want to show a progress indicator or something else after they click the login button. Then they're going to actually go and get the email address for the user, get the zip code for the user. And they're going to log this log in. The person's email which is their user account. And their zip code where they were when they did this log in. Maybe they're also going to later in the future try to use this zip code information. To help identify potential attacks on someone's account. By seeing, they were in some weird zip code across the world when they tried to log in. That might be suspicious activity. There could be a lot of reasons that they're going and implementing this. Now in order to make this functionality work and get access to the user's location. Because it's Android, we also have to go and add a permission. So they've added the fine location permission in order to log this information. And they've also added the internet permission. So that they can go and send this usage statistic information back to some central server. Now the first thing we need to say is, if we're trying to operate with least privilege. We have to go and look at our code and say, what are the privileges that we need? Well, these usage statistics need to be able to record the log-in and send it back to a server. So we need the privilege to communicate across the Internet or use the Internet permission which we have here. We also need the ability to get the user's zip code of where they currently are. Which is why they've gone and added access fine location permission. Now, let's stop for a minute and see what we're doing. We're accessing the zip code. And in order to do that, we're accessing for fine location permissions. Do you see how we subtly violated the principle of least privilege? And the question is, do we really need fine location privileges or permission to get the zip code of where the user is? Well the answer is, in Android no, we actually don't need that. We could get away with something simpler, we could get away with the coarse location permission. So we don't actually need to turn on the GPS for the user and get their specific latitude and longitude in order to get their zip code. We would be perfectly fine using WiFi and the cell tower information, more than likely. To get the user's information in order to produce a zip code. So this a subtle case where we're trying to pull something off which is we're trying to get the zip code. We're asking for more than we need, we're asking for the finest grain location. But we don't really need that. Now, is that a big problem in this case? Probably not, there's probably not a security vulnerability lurking in this. There could be though. If we open ourselves up later to receive intents or communicate with other apps. Then any permissions that we've taken we now have to take the work of protecting them. And so by taking on fine location when all we need is coarse location for zip code. We're actually taking on additional permissions that we don't really need. And if every app does that, you are weakening the security of the user's device and the Android permission model. So there's also another subtle reason we might not want to do this on Android. And that is it's less expensive from a battery standpoint. To just get the cell towers or the WiFi to give the location of the device. So coarse location comes from cell towers and WiFi. And doesn't consume as much power typically as doing the fine location with the GPS. So not only is it, in this case, we're taking advantage of additional privileges that we don't need. But we're also using other resources on the user's device in order to produce something simple, like the zip code. So, we don't really want to take and use more than we need. We always want to use the least privilege possible. And in this case, where we're trying to log the zip code of the user when they log in. This is a subtle case where by accessing fine location permission, we're taking more than we need. We're taking additional privileges that we shouldn't be taking.
