How App Permissions Work & Why You Should Care [Android]

android   How App Permissions Work & Why You Should Care [Android]Android forces apps to declare the permissions they require when they install them. You can protect your privacy, security, and cell phone bill by paying attention to Android app permissions when installing those apps – although many users don’t.

Malicious apps can’t send premium-rate SMS messages or snoop on your personal information without asking permission – unless there’s a security vulnerability, of course. Often, people that install malicious apps could have noticed the problem by staying vigilant over Android app permissions.

Permissions Explained

Every app declares its permissions when you install it. It doesn’t request permissions — you can’t actually control these permissions. The app tells you what it requires, and you can take it or leave it. Android apps must declare permissions for nearly everything, from Internet access and writing to the SD card to monitoring your location and sending SMS messages.

You’ll see a list of these permissions when installing apps from Google Play. You can tap each type of permissions to get more detailed information. A similar screen appears when you sideload apps or install them from a third-party app store.

android permission   How App Permissions Work & Why You Should Care [Android]

Here we see that Path requests access to your Contacts data. Path was recently in the hot seat for secretly uploading contacts data from Android and iOS devices. Android users had some warning that Path could do this by virtue of its permissions, while iOS users had no idea.

image48   How App Permissions Work & Why You Should Care [Android]

Apple’s iOS lets apps read contacts without requesting any sort of permission and investigations found that a large amount of iOS apps upload users’ address books. Users may have assumed Apple’s app store review process would protect them, but this incident shows the advantage of using Android app permissions instead of relying on a review process.

The Problem With Permissions

Permissions are great – in theory. The problem is that most Android users had no idea Path was doing this either. For many users, permissions have unfortunately become like a EULA – something to quickly tap through when installing apps. This isn’t helped by the way permissions are presented, placing everything from accessing the Internet to sending premium-rate SMS messages in the same list.

Every app ask seems to ask for permissions. Even installing Angry Birds requires allowing access to your device’s ID and location. Angry Birds requests these to target ads, but this trains users to agree to permissions requests and makes permissions seem less serious, with problematic permissions blending in.

image49   How App Permissions Work & Why You Should Care [Android]

Automatic Updates vs. Manual Updates

Android can automatically update your apps, saving you time. Every now and then, however, you’ll see that an app can’t automatically update.

image50   How App Permissions Work & Why You Should Care [Android]

Whenever you see an app that requires manual updates, it’s because the app requires additional permissions. Usually, the app’s developers added a new feature that requires a new permission.

image51   How App Permissions Work & Why You Should Care [Android]

Theoretically, this is supposed to protect you from an app’s developers “going rogue” and updating a harmless app with malicious features. However, most users probably tap through the message without examining the new permission. You’ll see a “New” indicator next to each new permission.

image52   How App Permissions Work & Why You Should Care [Android]

Viewing App Permissions

Android also allows you to view the permissions of your installed apps. To do so, tap the Menu button, tap Settings, tap Applications, and tap Manage Applications. Tap an installed app in the list and scroll down to the view the permissions it requires.

image53   How App Permissions Work & Why You Should Care [Android]

Scanning App Permissions

The built-in way to view Android app permissions is a bit slow and tedious if you’re reviewing a lot of apps. To make this faster, install an app like aSpotCat. aSpotCat scans your installed apps and categorizes them by the permissions they require.

image54   How App Permissions Work & Why You Should Care [Android]

Avast! Mobile Security, a well-reviewed Android antivirus app, also includes its own permissions scanner, named the Privacy Advisor.

image55   How App Permissions Work & Why You Should Care [Android]

Restricting App Permissions

There’s no way to restrict app permissions by default. However, if you’ve rooted your Android device, you can install an app like Permissions Denied. This app allows you to revoke permissions from an installed app. Many apps will continue working if you revoke a permission, although some may force close (crash) when they attempt to use the permission.

image 99   How App Permissions Work & Why You Should Care [Android]

There are other cool things you can do with a rooted Android, too.

How much attention do you pay to Android app permissions? Do you ignore them, or do you hunt for apps requiring the least permissions? Leave a comment and let us know.

Check out more about:

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

31 Comments -

0 votes

cdub

This is a great article. In an age of ‘buyer/downloader beware’ when it comes to privacy, more user education needs to happen about this topic. I don’t download apps where the permissions make no sense to me — the example of contact information is a perfect example. For better or worse, that severely limits the number of apps I have on my phone. Somehow, I survive.

0 votes

Chris Hoffman

Thanks for the vote of confidence, cdub.

Unfortunately, lots of apps could have a good reason for requesting the permissions they do. An app could say “we request contacts permissions, but we only use this if you use our optional in-app Share feature.” You’d have no way of knowing whether this is true or not — and you can’t deny permissions to an app without rooting your device.

0 votes

Joel Lee

Unfortunately, comparing permissions to an EULA is spot on. I don’t even bother checking the requested permissions–but that’s mostly because I only install apps that are well-known. When I’m installing Winamp or Catch Notes or the Kindle app, it doesn’t even cross my mind that the developers would do something dodgy.

That’s how I keep myself safe in general, whether it’s on my phone or on my PC or elsewhere. Only deal with known software from known developers who have had good reviews from previous users.

0 votes

Chris Hoffman

Very true. Dealing with popular apps is a good way to stay safe. I know that the Kindle app is probably safe, whereas Joe’s L33t Book Reading App may be more dangerous, even if it requires the same permissions

0 votes

guest25

remember the issiue witch apple keept user location data
you’re logic is mirage coz shoud i let devs/anyone who is well known/big/whatever give acces to my computer/data ? It is raddiculus that for instance game any game app woud have premision to my calls/personal info im really shocked that anyone installs it and almost all apps have insane premisions

0 votes

Chris Hoffman

Yes, that’s definitely true as far as privacy goes. I don’t want to argue with you there, I think it’s insane how many permissions apps require and I wish Google let us block them in stock Android.

That said, while popular apps like Kindle or Angry Birds may data-mine my personal info, they probably don’t contain malware that sends premium-rate SMS messages and drives my cell phone bill up. That’s what I meant.

0 votes

Bernadette

I always check the permissions and if they are things I am not comfortable with I don’t install the app. If it is something I really want and there is not a good alternative, I see how many people have downloaded the app, how many comments there are and if the comments are good. If all that is good and the web site is good and it looks like a valid company, then I will accept the app even if there are some permissions I don’t like.

0 votes

Chris Hoffman

That’s the most practical approach. Ideally, all users should behave that way. Unfortunately, most people don’t pay attention. EULAs have trained us to tap past these things, I suppose.

0 votes

Jack Cola

If you want to use the app, you have to agree to the permissions… Not something you really get a say on is it?

0 votes

Chris Hoffman

Yup, not really — it’s sad, Google should allow some control over this in the default OS, I think.

0 votes

John

Three letters: L-B-E. Four letters: F-R-E-E. ‘Nuff said.

0 votes
0 votes

hong

Ed

0 votes

Bob Drysdale

I always read the permissions but find they are generally pretty vague, saying what a permission can mean but not what the specific app actually does with them. For example, I declined to install a bank’s mobile banking app because it wanted to access my contacts. What the hell does it need to do that for?
If an app was precise about what it actually does with the permissions (some are) I might be more inclined to install it.

0 votes

Chris Hoffman

It could just be bad app design practices. Developers can sometimes be lazy and grab lots of permissions instead of fine-tuning them.

Still, if you don’t trust your bank, you might have a bigger problem!

0 votes

Stadsjaap

OK, but can anyone name some well documented instances of (for eg. Google App store) apps raiding passwords, nicking credit card details, uploading and spamming entire contact lists, hacking email accounts and the like?

Of course it can be done, but do we have any idea how widespread it is? Or is it a case of “Beware of swine flu!” (which killed 14,000 people in total) vs regular flu (which takes out 250,000 per year)?

My top tip is to “Arty Urbi” – Read The User Reviews Before Installing. You’ll see immediately is something is up. :-)

0 votes

Chris Hoffman

Well, Path was probably doing this on Android, too.

Lots of apps harvest a lot of personal data (the reason for the permissions requests) and use it to target ads and such.

Either way, it’s a concern. Giving apps the power to do this allows the permission to be abused in the future. Training users to ignore permissions because they don’t matter most of the time makes users vulnerable to malicious apps — why bother with a permission system if users ignore it, anyway?

Reading user reviews before installing is definitely a good idea.

0 votes

Wayne Hixenbaugh

I agree with Stadsjaap, whenever I come across an App that I don’t feel comfortable with I check the low rated reviews for permission problems. Sometime it can be time consuming but if I really want the App it’s worth the time.

0 votes

Chris Hoffman

It’s a good idea. The problem is that other users may not know if an app is sneakily doing something in the background, so it’s not a perfect solution.

0 votes

Tushar

Could you please explain different kinds of permissions and how the developer is going to get benefited with these permissions? (e.g. Access device’s ID to target ads.)

0 votes

Chris Hoffman

You can tap each permission to view more details. Answering that in a comment would require a lot of words and research.

Actually, that may be a good idea for a future article — thanks!

0 votes

Tushar

It will be nice to see an article on it. I needed this the most, as i always ignore the permissions messages. I always check Amazon’s daily free apps. Something has gone with my Galaxy S & now it became sluggish. I have tried “Fast Reboot”, “Android Assistance’s Quick Boot” but these apps even unable to free RAM. Only rebooting the phone frees the memory. If a get a clear idea, then i can avoid the apps which open back doors, even if they are useful. Thanks a lot.

0 votes

Chris Hoffman

You’re welcome! It definitely sounds like there’s a misbehaving app or two on your phone.

0 votes

G.

How the hell Google didn’t allow users to select which permissions to give to apps by default in the O.S.? Why I must FIRST install the app and LATER use a superuser app to LIMIT what the app wants to do?

I want to use a tiny free game for 5 minutes and I can’t deny crazy permissions to use it?

So finally I end not installing it.

This is a BIG mistake in the design of the app system. The USERS should have the right to select which permissions to give the apps, and receiving a warning with permissions that may lead to an unstable app, or give detailed information when is only a part of the permission you are giving and not something like: “yes, use all my private data for a f….ing game”.

I love Android, but this is very disappointing.

Sorry for my english, I’m out of practice.

0 votes

Chris Hoffman

I completely agree. The problem is just the developers abuse it — if apps request only sane permissions, there wouldn’t be much of a reason to lock down their permissions.

For example, if you wanted to install a camera app and it requested access to your camera, there’s no point in blocking that.

However, when you want to install a game and it wants access to everything, that’s bad.

I’d like to see Google add this feature to Android and give users control, but part of the reason app developers do this is to gather data for advertising (ie: access your location to serve you local ads), and Google is in the business of advertising.

0 votes

Dede

Thanks so much for your help. I just purchased and android and did not like the permissions wanted to use an app. When I started looking most all apps wanted the same or pretty much the same permissions. If I had know this prior to buying, I probably wouldn’t have purchased the phone. Thanks again so much for all of the information. Going to go “rooted” now. LOL

0 votes

Chris Hoffman

App developers often ask for too much. It’s an unfortunate situation.

0 votes

Juan Carlos Espinosa Agudelo

Hey Chris, my mom just got an Asus Transformer TF300T with Jellybean on it.

Now, I haven’t used any device with Android before(I mostly use my laptop or PC, so I haven’t seriously thought of getting myself an expensive smartphone or tablet), so when my mom asked me to help her out with the tablet because a lot of functions weren’t working and she couldn’t install apps, I decided to look and she pointed out why she wasn’t using anything:
She saw all the permissions the apps were requesting and got scared by them.

Now, I don’t think that’s a bad thing(like this article shows), but is there any way to make sure of what the app’s doing with the permission, before downloading them? Or is there anything I could tell my mom to worry 0.1% less?

0 votes

Chris Hoffman

You can’t really verify what an app is doing with the permissions, unfortunately. Installing well-known apps is a good option, like I mentioned above — Amazon Kindle is probably safer than Joe’s l33t Reading App with 10 downloads.

Bear in mind that apps you install in Windows get full access to your entire computer. If Windows used the same notification system, you’d be installing an application on your desktop and see a message that “This application has the permissions to view all your data, delete files on your hard drive without your permission, etc” — because Windows gives every app full permissions. Android at least tries to limit permissions more, although app developers often ask for too many permissions.

0 votes

Andrew

Hi sir,
My friend’s phone is texting messages to a foreign number nowadays without user permission. Could you give me some tips that’d be useful while we’re trying to solve the problem? Might it be an application maybe sending the messages? We talked to gsm provider company support, they told us the messages are sent to a chat channel. We wanted them to cancel the operation, they couldn’t help us (this is so sad to hear from support). Maybe you can give us some useful knowledge?

0 votes

Chris Hoffman

Definitely an app. You might want to wipe the phone to its factory state (in case it’s malware) and be careful when installing apps with SMS permissions.

You can try installing an app like aSpotCat and looking for the installed apps which have SMS permissions. Apps must have these permissions to send these messages, so that will help narrow it down for you.

Luckily, Android 4.2 has built-in features that won’t allow sending these messages in the background.