Notice any funny permissions when installing Castle Clash?
When installing or updating Castle Clash, you might’ve noticed that the app seems to be asking for some pretty lofty admin status. Here are the two that got my hackles up:
- Allows an application to perform operations like adding, and removing accounts and deleting their password.
- Allows an application to perform operations like adding, and removing accounts and deleting their password.
IGG admin weighs in on security
Fortunately the IGG staff seem to be aware of the issue and have a reasonable explanation. This is from a Live Help chat on March 7, 2014.
Chatting with Xiel
11:17:54
very concerned about the new permissions on CClash. why would CClash need these?? “Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.” and “Allows an application to perform operations like adding, and removing accounts and deleting their password.”
11:19:09
Ah, in regards with your concern, this would actually be tied-in with Google Accounts.
11:19:51
Castle Clash incorporates an account system which can be linked to Google Accounts for ease of access through various devices, which would be why the game requires permission to create or access Google accounts, in order to link the information properly.
11:20:06
Rest assured, however, that all information provided and used by the game system is confidential, and protected by law.
11:20:31
Not to mention several layers of encryption which can only be undone by Game Server administrators for IGG, which requires full permit from the higher-ups.
11:20:47
surely there’s a lower-level access that wouldn’t give you guys the ability to change passwords etc?
11:21:52
We are actually unable to change passwords within the game. That function is only used if a player was able to change their password using the Google play services, and requires the game to change its saved password for their account.
11:22:14
We do not exactly change the passwords on the Google account itself, but only for the game account access.
11:22:37
ok. definitely a red flag and something you might want to mention in the Play store description so people don’t get scared away :(
11:22:55
thanks Xiel.
More security info
See more at: http://appview.mobilesecurity.com/app/1153330/Castle-Clash#security