Mobile Apps Permissions, Misuse & What to be Cautious of
A recent Android user study found that most users grant app permissions if the requested permissions meet their expectations. Specifically, the study revealed that 68% of users grant app permissions if the app has a specific feature requiring given permissions. Also, 32% and 24% of users grant app permissions if they trust the app vendor and if the app cannot work without the requested permission, respectively.
Understanding App Permissions
Android mobile apps permissions are categorized into various types. Accepting or denying the permissions enable the user to determine the scope of restricted information an app can access or the restricted functionalities an app can perform. Common types of app permissions include:
- Installation permissions: Installation or install-time permissions allow an app to perform restricted functions with minimal impact on the device or other apps and provides limited access to protected data. Install-time permissions consist of normal permissions, which permit access to information with minimal risks to device operations and user privacy, and signature permissions. Examples of installation permissions are providing access to network connections, an app to run at device startup, and an app to prevent a device from sleeping.
- Runtime permissions: These permissions, also referred to as dangerous permissions, provide apps additional access to restricted data while enabling them to perform restricted functions that significantly affect other apps. Most apps that request runtime permissions often access private information that may contain sensitive user data. Examples of runtime permissions include apps requesting to access messages, contacts, location, and call logs.
- Special permissions: Specific apps can request special permissions. For example, apps used to perform powerful actions, such as drawing over other apps, can request special permissions.
An Overview of Android App Permissions
Before Google released Android 6.0, operating systems based on earlier Android versions required users to accept all app permissions when installing a new app. Users were required to grant the permissions before they could install or use an app. As a result, the practice provided app developers access to sensitive information and, at the same time, prevented users from controlling the permissions they could grant. Besides, app usage dictated how the permissions could be grouped, usually based on criticality. Some permissions, such as internet access, were common across all apps and granted without asking a user.
However, newer Android versions contain numerous significant improvements regarding how users can manage and control app permissions. For example, for Android 10 users, users can install and use apps and only grant specific app permissions when the need arises, such as granting access to device location to view the map of a specific place.
Recent Android versions like Android 11 have introduced even more app permissions control capabilities, such that a user can grant single access permissions to a device location. Essentially, Android 11 provides four optional app permissions; always allow, allow once, allow only when using, and deny. Also, it is possible to revoke any of the permissions at any time, enabling users to have more control over which permissions they can grant or deny at any time.
App Permissions Every User Should be Cautious About
Most apps request permissions to access a device's call history, contacts, location, camera, microphone, storage, and SMS messages. The permissions fall under the dangerous app permissions category, and users should keep an eye on them for various reasons.
Location
Granting app permissions requests to access device location exposes a user to real-time tracking risks. However, the location is essential to the functionality of different apps, including check-in apps, event apps, navigation/map apps, and apps for hailing a ride. Therefore, users should consider denying the location from accessing camera-centric apps when granting location access permissions since it makes it easy for anyone to track a user by downloading the geotagged picture. Moreover, users should avoid granting location access permissions to any app since allowing malicious apps can enable hackers to deliver location-specific malware.
Call Log History
In most cases, built-in dialer apps require access to the phone call-log history to enable users to call their contacts. However, granting these permissions to specific third-party apps can expose a phone user to several security risks. For example, attackers can create apps requiring call logs to spy on conversations or make calls to others. Particularly, when a user grants phone/call history permissions, the app can access the users' phone numbers, voicemail box, call log data, and modify or redirect incoming/outgoing calls to other numbers.
Contacts
Granting app permissions to access the contact list allows it to access, modify, delete, or add other contacts. Also, apps can misuse the permissions and gain access to other accounts added to a mobile device, including Facebook, Instagram, and Twitter accounts. As such, users granting app permissions to malicious apps increase the likelihood that cyber adversaries can exploit the permissions to steal contacts for spamming reasons and gain unauthorized access to connected accounts.
Microphone
Most communication apps, such as WhatsApp, Skype, and Zoom, require access to the device's microphone when users want to make a video or audio call. Additionally, music recognition apps like Shazam must access the microphone to record and search a song. All these are essential functions requiring microphone access permissions. However, granting permissions to untrusted apps can enable harmful actors to record private conversations and the surrounding events, which is a significant security and privacy breach. Other app permissions users should be wary about include storage and SMS permissions.
Best Practices when Considering App Permissions
Only Allow the Necessary Permissions
Current android operating systems provide users with the flexibility to accept, deny, or revoke access permissions at any time. Therefore, the best practice to reduce unauthorized access risks to device hardware or data is to grant only the necessary permissions. More importantly, users must ensure to revoke the permissions once the app doesn't need them anymore.
Take Time to Understand the Requested Permission
Before accepting any permission, a user should re-read the pop-up box requesting access to understand what it means and the potential implications of allowing it. For example, Bluetooth access can allow users to share files to another device or create an internet hotspot for malicious users. Although the user may not control what app permissions do in the background, understanding permissions before granting them is a recommended security practice.
Manage App Permissions for Unused Applications
Some users may install applications and grant all permissions during installation. However, they may fail to use the apps after the initial setup or use them occasionally. Either way, it is a recommended practice to manage and control the granted permissions. For example, Android users can navigate to settings and select the app to view its permissions. If the user does not require the application, he should revoke all granted permissions to prevent access to sensitive information or device functionalities.
Only Accept Permissions from Trusted Apps
There are so many apps today that provide different or similar services. Unfortunately, crooks and criminals leverage the growing market to create malicious apps that do more harm than good. To stay safe, users should only grant permissions from trusted apps. A good place to start is installing secure apps from verified App Stores.