App Permissions – The Good, The Bad, and Why You Need to Pay Attention

finjanmobileBlog, Mobile Security

App Permissions

Here’s a familiar scene for mobile users:

You’ve just been skimming the pages of your favorite app store and settled on a new bunch of killer apps to spice up your phone. BUT…

That flashlight you want with the neon strobe effect is asking to screen your calls and read your contact list.

That cutting edge calendar app wants access to your camera and microphone.

And for some reason, that memory booster and system optimizer need to know your location, at all times.

In the eyes of many users, today’s breed of mobile applications seem to make unreasonable demands before allowing you to install them – demands that may be hiding unscrupulous or even malicious intentions. Surely, software should be able to do its job without asking you to pledge the life of your first-born – as some of the more extreme app permissions seem to do?

What Are App Permissions?

As their name suggests, permissions are concessions or allowances that you agree to as a user, to enable a mobile application to perform its full range of functions. Within their phrasing or description, each permission sets out the conditions that the app may affect (or that may affect it, in turn) while the application is installed or in use.

The design and coding of an app will to a large extent dictate the permissions it needs to ask for – but the rules and restrictions of the operating system it’s running on will also play a part in this. In addition, app stores will only offer a program to users on their platform whose devices actually support the features for which permission is being sought.

Android users will recognize permissions from the long list of them typically presented in their product description at the Play Store, and/or in the dialog presented to the user ensuring that “I Agree”, just before an app is installed. But other mobile operating systems have different methods of approaching and handling app permissions.

Users of iOS systems are usually presented with a request for permissions on a case by case basis, as each application feature which requires a permission comes into play. Windows Phone and Windows (Metro apps, or the Modern user interface) users may receive permission requests at runtime or before installation, depending on the app. And in some cases, Windows users are simply informed that an app is using an operating system feature, with no permission being asked at all.

For the concerned user, the permissions protocol can be a confusing one – especially if so many are presented at once, there’s little clarification about what they mean and what they’re actually used for and even less understanding of the potential consequences.

App Permissions – Good Reasons to Ask

In an “ideal world” scenario, the requesting and granting of app permissions is designed to ensure that a piece of software is given the user, data, and system access it requires to do its job properly.

And presenting the user with a list of the permissions it requires (however long it may be) is a gesture of transparency and good faith on the part of the developer – simultaneously indicating that they have nothing to hide, and providing the inquiring user with a deeper insight into how their new app actually does what it does.

In the case of system apps from device manufacturers and big names like Google – or tools from reputable third parties like web-based email or social media platforms – these philosophies are pretty much adhered to. And users can go through the list of their permissions, secure in the knowledge that there’s typically a legitimate reason for each one.

For example:

  • “Your personal information — read/write your contacts”: A messenger app or email contact would logically need to make this claim.
  • “Your precise location — GPS and network-based location”: A geographical mapping application or any app that needs to pinpoint your location (e.g. to provide guidance round the room, for the visually impaired) would be expected to ask for this permission.
  • “Services that cost you money — directly call phone numbers”: Dialer applications (including voice-activated ones) would need to be allowed to do this.

Bad Reasons to Ask

On the flip side are those mobile apps whose permission lists include requests for access or functionality that have little or nothing to do with the software itself, or its stated purpose. In the best case scenario, this may be the result of poor design or development practices, and/or the misinterpretation of the demands of the operating system that an app has been designed for.

More commonly (and unfortunately) however, the request for extensive or intrusive permissions may be down to some ulterior motive, on the part of the app developer or their sponsors. Data-mining operations for marketing and advertising networks, or even for more sinister purposes such as fraud and identity theft may be one motivation.

Then there’s just plain malice. Requesting (and being given) permission for an app to perform operations that can provide access to user credentials, personal documents and images, personally identifiable or health information throws these resources open to abuse at the hands of blackmailers, extortionists, identity thieves, and cyber-criminals of all kinds. And permissions that grant an app deep system access are a great ruse for the installation of malware, spyware, and the hijacking of systems.

Some red flags might be raised by the following:

  • “Your personal information — Modify/delete SD card contents”: An app with this permission may read, write, delete, or alter documents and files on your device’s external storage. It could easily install malware without your knowledge.
  • “Network communication — full network access”: This grants an application free access to the internet (using your device’s data connection, or WiFi), to upload or download data as it requires. A potential route for streaming in advertising or push notifications, and streaming out information to external parties.
  • “Phone calls — read phone status and identity”: Your phone status (incoming call, etc.) may be relevant to how an app behaves in the foreground – a game or video might automatically pause, for example. Your device identifier may be revealed to an app without exposing any of your personal information. But your IMEI number (the identifier which the phone company uses to associate your device with your particular name, address and other information) is another matter. Many apps ask for this permission (which includes all of these identifiers), and many of them abuse the privilege of getting it.

App Permissions – A Reasoned Response

So, how can you know whether the permissions you’re being asked for are there for legitimate reasons? And what can you do to find out whether an app is trying to take advantage of your trust, or genuinely looking to provide an extensive set of features? Well…

Before installing an app, take the time to read through all the blurb associated with it at the app store (you are downloading it from an approved app store, right?). This includes the permissions list, Terms and Conditions (which may contain not so veiled references to how your data will be used for various purposes), and the user reviews and comments – which are often enlightening enough in themselves to sway your decision to install it one way or another. Those few minutes you spend reading may save you from weeks or months of regret, later on.

When going through the permissions list, use logic and common sense. Should a flashlight app really need to write data to your external storage? Why should a photo editor ever need to make a phone call? And so on.

Depending on the device and operating system that you use, it may be possible to adjust some app permissions manually, without breaking the software’s functionality.

There are third-party monitoring apps (read the permissions associated with these first, of course) that can study the other apps on your device to see if they’re doing anything suspicious, and/or prevent them from accessing or transmitting data. Installing one of these watchdog apps may assist you in reining in some of the more permission-hungry applications on your device.

And remember that you can always become an instrument of change, by voting with your feet. If an app in the store asks for too many permissions (or doesn’t adequately explain why they’re needed), you can leave a comment to the developer and boycott it. If enough people do the same, they’ll soon get the message and clean up their act – if they really want to make any more money.

Share this Post