Beware of Amazon Appstore Update

I was checking this morning on my Samsung Galaxy S4 with the Amazon Shopping App. Today is Prime Day so was seeing what they had to offer. I was presented with a pop-up notification to update what I thought was for the Amazon Shopping App. I started the update and the first red flag that came up was it wanted me to Enable Unknown Sources on my device’s security settings. Basically, this is to allow you to be able to install apps outside the Google Play Store. I was somewhat confused why I needed to do this, but went ahead and did it anyway. I figured once the install was done I could turn this off.

Next I was taken to a screen to download the app, which like any other app on Google Play Store shows the most reviews. The most recent reviews were 1-Star with complaints about the app being nosey and other privacy concerns. Interesting. I tapped install to continue and then was presented with the permissions (I can’t not find or duplicate this now so these are from memory):

  • Access to sending and receiving SMS messages (with a warning this may cost you money)
  • Access to your contacts
  • Access to delete shortcuts

At this point I decided not to continue and went back into my device settings disabled the Enable Unknown Sources.  I returned to my Shopping App and was able to continue to use it as normal and have not been prompted again to install the Amazon Appstore

So I got to thinking about the permissions, mainly the contacts. I thought maybe it had to do with being able to purchase/send items for/to your contacts. But, then you can setup that up manually within already. It was then I recalled that the installer was talking about apps from Amazon Appstore such as games. Oh great, this is just as bad as the Facebook Games, if not worse if it wants to send SMS notifications to your contacts about your Amazon Games. Okay, may be I am thinking about this all wrong.

Now, according to Amazon Help in regards to the sending SMS messages with the Amazon Appstore for Android:

When installing Amazon Appstore for Android, your device may display a notification indicating that the app will get access to sending SMS messages, and that “this may cost you money.” At this time, SMS verification is only used by the Amazon Appstore in selected regions, and is not required if you have an account on

Hmm…that sort of makes sense. After more digging around I found some interesting things.

  • Google is very broad in their permissions and they must be consistent for the App region wide . On example is for a music app to be able to pause the audio if it detects an incoming call.  Simply Google will indicate that this app is requesting permission to access your phone calls. Google needs to expand on this in more detail to explain why it needs this permission.
  • The SMS verification (in lieu of email verification) is used mostly in Chinese market where such a verification process is the norm and preferred by customers. While this only applies to the Chinese market, Google’s policy is the app must request this permission regardless of the devices registered location (even if the app does not use this feature in said location). I suppose a work-around for that would be to have a separate app for the Chinese market, but that is costly and time consuming.
  • There was another comment somewhere (can’t find it now), which provided a theory about permission to access your contacts as well as sending SMS. It had to do with sharing (or sending a link) to an app on Amazon’s Appstore.
  • Per the Google Play Developer Program PoliciesDo not send SMS, email, or other messages on behalf of the user without providing the user with the ability to confirm content and intended recipient. This means an app can not send out SMS messages without the user first opting in. If an app was sending random SMS messages, it would be removed from The Google Play Store.

That does clarify a lot, but I still don’t get the delete shortcuts permission. Still, I don’t recommend installing the Appstore App for the simple reason that you are putting yourself at risk by enabling Unknown sources on your devices. It is not that I don’t trust the Amazon Appstore, rather it is an issue that a user may inadvertently install a malicious app from somewhere else. I suppose a better approach would be for Google to allow this option on an app level basis (versus global), where the user gives permission for the Amazon Appstore to install their apps. This way only apps from the Google Play Store and Amazon Appstore can be installed, apps from other sources would still be blocked from installation.

Bottom line you do not have to install the Amazon Appstore app to continue using the Amazon Shopping App. Amazon is simply trying to get you to be able to install their Fire apps (ported to Android) on your Android device (while making your device vulnerable). One more thing, the Amazon Shopping App also request permission to send SMS notifications. Again, a blanket permission and the user must enable this in the app for order status and shipping notifications.