How often do you read through through app permissions before downloading and installing a new app? For me, the answer is “rarely” and even when I do, the permission descriptions can be difficult to understand. I blindly trust app developers, that their practices are ethical, and that the requirements they have are only to support the best possible usability of the app. Why should I avoid that awesome looking game which I’ve read so much about, just because it wants permission to read through my SMS messages?
There is no simple answer when determining which apps are safe and which aren't. Most app permissions, when taken on their own, are not necessarily harmful, it is when they are combined with others that they can become dangerous. Apps given access to your stored data, messages and the internet, could potentially upload, store, and distribute your personal files without your knowledge.
I’m here to try and give you an overview of what the different app permissions mean and how you can detect potentially malicious apps. Please be aware that any app permission you see in the Play Store can be clicked on to reveal further details, and even once downloaded you can review them in the app manager. There are even some apps that offer an insight into app permissions and better still, allow you to switch off certain ones. (Check out our article on how to view and manage app permissions for further details.)
The list below is by no means exhaustive, the number of permissions are far too wide and varied for me to offer a fully comprehensive breakdown, these are just some of the most noteworthy, and enough to equip you with the necessary information so that you can keep your phone secure.
Modify or delete the contents of your USB storage
Many apps desire this privilege and it's often harmless. Android games may need access to storage for save files, for example, and Photo apps need somewhere to save your snaps. But malicious apps can also use this privilege to upload private photos and videos to the internet (if combined with internet access permission), so watch out.
Directly call phone numbers.
It should be pretty obvious which apps you download will need the ability to make calls. Alternative dialers, Skype - it would even make sense for some messaging apps to allow you to call contacts directly from within them. A wallpaper app on the other hand? No thanks.
Send SMS or MMS messages
A messaging app, or anything which would need to send multimedia will require this, including various photobooth style apps which often allow you to share pictures immediately. If you can’t think of a reason why something, like say a task killer app, would need to send an SMS or multimedia message then alarm bells should be ringing.
Modify your contacts, read your contacts
Apps like Twitter require this to make it easy for you to import contacts from your address book, but malicious apps can use this feature to find information about your contacts, potentially to pose as one of them in an email or message, tricking you into downloading harmful attachments.
Read phone state and identity
One of the most common reasons an app would need this feature is to allow it to minimize if you receive a call. However, this feature is also one of the most commonly exploited. Apps often use this to discover usage habits, mainly for advertising purposes, and it's completely logical that this is such a frequently occurring permission request. Advertisers want to understand your useage so they know better how to target their advertising, and a huge amount of apps rely on advertising for funding.
It’s not really all that intrusive, just use your intuition and consider why it might be necessary. Many apps genuinely need to read your phone state and identity, and the number of things a person could do with your phone identity are quite limited. But allowing this permission also gives the app access to some important phone details, like your IMEI number, so it’s certainly one to be aware of. Check the app review rating and comments if you're unsure before installing an app with this request.
Approximate and precise location
Reading GPS location will of course be important for any map/GPS app or any app which will offer any details about location (like restaurant/store finders). It’s also a favorite of marketers because they can target ads at you based on your current location, so expect this one a lot. I often get texts about coffee deals in my vicinity and I have no idea why. (I receive these even when my GPS and data are switched off). Fortunately, it’s fairly easy to discern what kind of apps need to know where you are and what doesn’t. Are you going to use the app to find things? Does the app need to know how far you’ve travelled? Or do you only wish to use the app to record your voice?
Read sensitive log data
Rarely should an app require this. It enables the app to read data from your phone which may contain phone numbers, email addresses and so on. It’s usually needed for security/debugging tools, and it could potentially allow access to password information, so make sure the developer is trusted before allowing access to this.
Your accounts - create accounts, manage accounts and account authenticator
This can be dangerous. It's natural that some apps would ask for this, like Facebook, Twitter, Origin etc., because you must have a registered account to use them. Furthermore, these kind of apps sometimes send SMS messages to your phone for account verification. However, some apps can exploit these permissions with “phishing” scams to ascertain passwords, so account management requests are definitely something to be wary of.
Full network access
This is another frequently occurring permission, and most of the time it’s completely necessary. The number of free apps which contain adverts are often responsible for this permission's common appearance in the Play Store. If the app doesn’t look like it would need to do anything online, for downloads or messages etc, then it’s likely for adverts. Though if you can't see a reason for it to go online, and the app also says there aren’t any adverts... beware. When combined with other permissions on the list it could cause problems.
For most people, downloading the most popular apps, the worst that can happen is that they have their privacy invaded, which is basically the same thing that happens every time we do a Google search, or log into Facebook. As a rule, try to only install apps from reputable sources and with positive reviews. If well-known websites (such as AndroidPIT.com!) are writing about a particular app then it’s very likely to be safe. Sadly, these rules both have exceptions, there are still apps with millions of downloads that use permissions that don’t necessarily affect the function (like a highly popular flashlight app requiring location data).
Before installing an app, run through this checklist:
- Is the developer reputable?
- Do they tell you why they need the permission?
- Do you understand why the app would need the permission?
If you answer yes to all three, then it’s likely safe.
Lastly, if you are still unsure about an app, just message the developer and ask. They will probably be used to the question and be able to clear it up quickly. If they don’t respond, maybe that’s a sign to stay clear.
If you want any more advice about any of these app permissions, or specific examples, feel free to post about it in the AndroidPIT forum and I’ll try to help out. Are there any other app permissions we should be wary of?