Have you ever given an app on your phone permission to do something without a second thought? Even sensitive permissions, like access to your camera, microphone, and location are often enabled without batting an eye.
But that’s a risky way to use your phone. Let’s look at the most dangerous types of mobile permissions, and the ways that an app could abuse them to steal information about you.
A Brief Refresher on Permissions
We should quickly review how permissions work before we proceed.
For both Android and iOS, apps require permissions to access sensitive data on your phone. If a developer makes an app that relies on having your contacts, for example, he must add a permission into the app’s code.
On Android 6.0 Marshmallow and later, you can toggle permissions (on or off) individually. When you install a new app, you’ll see a pop-up asking you to grant permission for the app to use something when it needs it.
For example, if you download a new SMS app and click the in-app camera button to send a picture to a friend, it will ask permission to access your camera. If you say No, then the app simply can’t use that functionality. You can access the app’s settings to change the permissions if you change your mind later.
A similar system exists on iOS. You decide whether to enable app permissions individually, and can revoke them any time.
On Android 5.x Lollipop and older, you’ll find an all-or-nothing permissions system. When you install an app from Google Play, it shows a list of permissions that the app wants. If you don’t want to grant access to one of those permissions, your only option (aside from rooting) is not using the app.
When an app has permission to do something, it has that permission until you disable it. It won’t ask you every time to authorize an action.
It’s no surprise when a voice recording app needs access to your microphone. But how about that new free game you just installed asking for this permission? If it seems a bit fishy, that’s because it is.
The New York Times recently found that hundreds of games on Google Play, and some on the App Store, are integrated with a software called Alphonso Automated Content Recognition. This, partnered with Shazam, uses your device’s microphone to identify what movies and TV shows are playing around you, then takes that information to build a better advertising profile on you.
While this isn’t the most harmful behavior possible, it’s probably not something you’d prefer to have on your phone. Even while you’re not playing gaming gems like Surface Shifter or Bunny Jump, they’re still using your phone’s resources to snoop on what you’re watching. If you watch a lot of sports, for example, you might see more ads for team equipment.
If an app has access to your microphone, it has the ability to listen to what you’re doing any time it feels like it.
We don’t need an elaborate explanation as to why a malicious app having access to your camera could be dangerous. While many apps need this permission for legitimate reasons, usually to conveniently take pictures inside the app, the story is the same as your microphone. With access to your camera, an app could take pictures anytime it wants.
And if it has internet access (which is such a common permission that Android doesn’t even ask you to confirm it anymore), it could upload those photos to who-knows-where. iOS developer Felix Krause demonstrated how an iPhone app could capture photos of someone while using the app and share them immediately.
How would you like someone to see pictures taken using your phone in the bathroom? And how about if your phone was sitting in your bedroom, pointing at you while you were changing? Cameras have huge potential for embarrassment or worse.
Your general location isn’t a big secret — it’s easily ascertained from your IP address. But that doesn’t mean you want every app to access it. If you can’t think of a specific reason that an app needs your location, and it includes the permission, then it’s almost certainly for a nefarious purpose.
For instance, Google Maps needs your location so it can give you directions. Shazam asks for your location so it can save that info when you tag a song. But free games that have no business with that information often ask for it, too. Flashlight apps are infamous for loading up on permissions, including your location. They send this back to advertisers to learn more about you, as usual.
— Liz Jones (@ImCommitted2HIM) August 4, 2015
By knowing what stores are near you and what type of area you live in, they can build a better picture about what you might have interest in.
Some apps need access to your contacts to make sharing easy. A new messaging app might check to see which of your friends also use it, for instance. Based on what we’ve discussed so far, it’s not hard to guess how an app could abuse this permission. If you guessed “uploading your contacts list to advertiser servers,” you’re correct!
Like other permissions, it’s not hard to tell if the app really needs it or not. A game would only need this permission if wanted you to invite your friends and beg for more lives. You should be careful with this one; it’s one thing to open up your own phone, but unintentionally selling out your friends’ contact info isn’t cool.
Aside from SMS replacement apps, an app might ask for permission to use your text messages so it can retrieve a login code. These are both legitimate uses, but like everything else, they have a dark side.
A nasty app could use this permission to send a ton of texts to premium numbers and rack up a big bill for you. Or it could text your contacts a fake story about needing monetary help in the form of gift cards, then delete those messages so you don’t see them.
VT(3/61): https://t.co/E39ablB43n pic.twitter.com/z9Ndjbdh0X
— Lukas Stefanko (@LukasStefanko) November 10, 2017
That’s quite a bit of trust to put into an app in exchange for saving you five seconds to enter a code yourself.
It’s All About Context
We’re not trying to scare you. It’s not as if every app that asks for a permission is using it for nefarious purposes. App permissions are not bad in themselves, and many developers explain what they use the permissions for in the app description.
That’s why it’s vital to think critically about permission requests. Don’t just blindly tap Yes every time. If you install a trusted camera app and it needs permissions to use your camera, then you’re probably OK. When a solitaire game needs access to your contacts, location, and SMS, you should uninstall it or at least deny it those permissions.
Remember that popular doesn’t mean safe, though. Several hot Android apps have major privacy issues. Thankfully, for most types of apps, you can always find an alternative. Take the time to check if there’s a similar app that doesn’t require as many permissions.
On Android, you can review app permissions by visiting Settings > Apps & notifications > App permissions. Here you can check all apps you have installed, grouped by permission.
Meanwhile, iPhone and iPad users should visit Settings > Privacy and select a permission type to review apps that have access to it. Disable the slider to revoke permission.
Take a few minutes to look over the most sensitive permissions and ensure you aren’t handing over too much info.
How Do You Manage App Permissions?
We’ve taken a look at why permissions are important, five of the biggest risky ones, and how you can take charge of your permissions. All it requires is a bit of diligence and you’ll have a much safer phone. Remember that all the above scenarios require you to grant permission to the apps to perform their data collection — so don’t!
And keep in mind that your phone’s motion sensors can be a security risk, too, so don’t let apps access them unnecessarily.