The Truth Behind Unnecessary Permissions Requested by Mobile Apps

Mobile app permissions - Kaymera

Apps, apps. They’re everywhere. There is an app for every activity in our lives: from shopping to daily water drinking reminders. If you have a smartphone, and we hope you do, you will probably find this familiar. When you download a new mobile app, it asks for various permissions — to access your contacts, to know your location and so on. Isn’t it  surprising that an app you are installing only for some specific utilities needs to know so much about you?  

But why does a non-essential utility app need to access your location or contacts? What is this information used for? The simple answer is because these leverage your information and provide you with better services, and them with treasured data. Sounds innocent, but let’s see how and why it works the way it does.

How do they gain access to your user data?

It is important to note that no mobile app can read your actual contacts unless you have manually allowed it. When you download an app, it sends a request to the Android operating system or iOS. This request contains the permissions it needs, such as the ability to read your contacts. The OS then shows a permissions prompt to the user, and the user must approve or deny each permission request to proceed with installation. 

When you install an app, it asks for permission to access certain features of your device. For example, if you want to take a selfie, you can do that directly from the camera app on your device (rather than opening an app such as Instagram and taking the photo there). The camera app requires access to the device’s hardware, such as the camera, flash, and microphone. Therefore, when you install a camera app, it requests permissions to use these hardware features.

What is the real reason behind requesting unnecessary permissions?

Mobile apps are designed to collect data from you as a user, but they are not always honest about what data they are collecting or what they are doing with that information. As mentioned before, apps need permissions to access certain aspects of your phone to perform certain functions. The majority of apps request unnecessary permissions so they can collect more data from you or sell it to third parties and there have been cases in which apps were removed from the stores (High-Speed Camera, Smart Task Manager, Flashlight+, 8K-Dictionary, BusanBus, Flashlight+, Quick Note, Currency Converter and more…) for performing ad fraud after receiving unnecessary access to devices, many of which have been categorized as Utility apps which usually require minimal permissions as they perform a specific task. Apps that request unnecessary permissions are not necessarily malicious or dangerous. However, they do not have any legitimate reason for requesting this access.

But why is this a problem? If an app requests unnecessary permissions, it could be a sign that it wants to collect more data than it actually needs to perform its function, and you should be wary of that app. Each time you launch an app, it can potentially have access to your location, your contacts, your photos, your camera, or other sensitive data. A flashlight app that asks for your contacts and address may use that information to send spam or sell it for profit. 

Here are some other reasons why apps can request irrelevant permissions:

  • Tracking your location or activity 

It’s important to be vigilant when it comes to giving location permissions. Apps can use your location information in numerous ways, the most innocent would be sending push notifications for advertising purposes to you. Certain apps might even be able to see the exact address of your home or workplace, which could put you at risk if someone were to break in. Your best bet is to always make sure you’re knowledgeable about what an app does before you install it.

One more thing: if you do decide to give an app access to your location, it’s a good idea to make sure that the app has some sort of privacy policy. This will help ensure that the company is following all of the rules regarding its usage of your information.

  • Data theft

The most common types of data theft are account password hacking and data exposure. When you grant an app permission to access certain parts of your phone, like GPS location or contact lists, you're leaving yourself vulnerable to a range of attacks: an attacker could simply collect your login credentials and use them to access your account or they could simply steal your sensitive data to demand a ransom or sell it to third party. 

This type of attack is especially concerning because it doesn't require any special skills; anyone can download an app on the Play Store and take advantage of the device without much effort.

  • Malware

Despite the best efforts of developers and app stores, malware can still slip through app permissions on phones that are not up to date with the latest security patches. If malware connects to an internet server or other computer, it may be able to access sensitive data like passwords and banking information. If you’re not careful, malware can also allow hackers to take control of your phone remotely in order to spy on you or steal valuable information. Malware is hard to detect, so even if you have an antivirus app on your phone, there are still ways for malware to sneak past it. For instance, malware might disguise itself as a harmless file in order to trick you into downloading it. It might also use social engineering tactics to trick you into giving it access to your phone. 

  • OTP theft

The act of fraudulently obtaining a one-time password (OTP) to gain access to a user's account. OTP theft is typically committed by IP address hacking or phishing attacks. Once an attacker has obtained access to the victim's account, they can use it to make unauthorized purchases, transfer funds outside of the account, and otherwise cause damage. Since OTPs are time sensitive, if an attacker can obtain them before the victim does, there's little that can be done to prevent damage from occurring. It is important to protect your financial accounts from OTP theft because it can lead to large financial losses.

  • Ad fraud

The core issue with ad fraud is that advertisers want to reach their target audience, but they are paying for viewership that doesn’t exist. To make things worse, some ad networks and publishers are facilitating the spread of fake views by giving bad actors illegitimate access to user data.

At the heart of ad fraud is a phone permission problem: bad actors can use phone permissions to get closer to unsuspecting users and steal their personal information. For example, hackers may find themselves on the same Wi-Fi network as you or, worse, have access to your device’s camera. The combination of these two factors has led some researchers to believe that phone permissions could be a major factor in ad fraud.

How to keep your favorite apps but stay protected?

One of the best ways to stay protected while still using these apps is by using An encrypted smartphone equipped with EDR (Endpoint detection and response) or at least antivirus software. App scanning can identify apps that have been designed poorly and are collecting data unnecessarily. These solutions also keep track of apps you have installed and their permissions. If you notice that an app has been granted access to more data than it actually needs, you can revoke its access. Additionally, you should be careful when installing apps and reading the permissions that they are requesting. You should also read user reviews and feedback before installing an app just to make sure that it is not collecting excessive data or posing a privacy risk.

While it’s impossible to know how much of the problem is caused by phone permissions, it is clear that more needs to be done to protect users from this vulnerability. If you are looking for solutions to protect your personal or business data – check out Kaymera’s encrypted smartphones