Articles Code About

A Quick Analysis of the Turner App

It's pretty straight forward to disassemble an Android application to see how it works. Since there were some concerns on Facebook about the Turner mobile application accessing private information, I thought I would take a second to break down what the application is capable of.

In order for an application to perform certain actions, access certain files or hardware, it must request permission from the operating system. This allows you to easily see what the application is capable of just by looking at what permissions it's requesting.

Below is a breakout of the permissions contained within the AndroidManifest.xml file for the Turner app. This file is a required file for all Android applications that must be a part of the package in order for it to be valid. It describes the package itself, the processes that make it up, as well as the permissions that it requests from the operating system. The code excerpts are copied directly from the AndroidManifest.xml file, extracted from the Turner app. I will explain briefly what each permission is for, and my suspicion (if any) as to why the Turner app needs each permission.

<uses-permission android:name="android.permission.INTERNET"/>  

This permission is required for an android application to access the internet. Even the most basic applications will use this.

<uses-permission android:android="name.permission.ACCESS_NETWORK_STATE"/>  

This permission allows the application to know whether or not the device has an internet connection. The reason they are using this permission is obvious.

<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>  

This is probably the most controversial permission that the Turner app is requesting. This permission allows the app to access the high-granularity location of the device, usually retrieved from the GPS reciever, but can also be triangulated based on cell phone towers, or determined based on available WiFi networks or the connected WiFi network. I'm not sure what they are requesting this permission for, but it's most likely used in the case of getting direction to one of the schools or an event. I haven't used the app so I couldn't say definitively.

<uses-permission android:name="android.permission.CALL_PHONE"/>  

This permission is probably in use so that if you decided to call one of the schools offices/numbers from within the app, the app can open the dialer and dial for you. No issues here.

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>  

This allows the application to write data to the your phones SD card. Not sure what they are storing, but since they are not requesting read permissions I don't see any issues with this.

<uses-permission android:name="android.permission.GET_ACCOUNTS"/>  

This permissions allows the app to access the list of accounts set up on the device. Not sure what this is used for.

<uses-permission android:name=""/>  

The C2DM RECIEVE permission allows the app to recieve push notifications. An example of a push notification is when someone tags you in a post on Facebook, a notification is in your phones activity/notifications bar. So you can possibly expect to recieve push notifications from Turner.

<uses-permission android:name="android.permission.READ_CALENDAR"/>  
<uses-permission android:name="android.permission.WRITE_CALENDAR"/>  

With these permissions, Turner has the ability to read and write to your device's calendar.


There doesn't seem to be anything malicious, or anything that would warrant reason to suspect there are any privacy concerns with installing the Turner app.

On top of this, it may be comforting knowing that the Turner application was not developed in-house by Turner staff, but by a third party company called Blackboard, who builds software for education.

If you're feeling inclined, you can download a copy of the AndroidManifest.xml file here.