Linking without permission is stealing. And you must have heard about apps that steal your valuable data & then someone says you need to read an app’s permissions before you install it. Well that’s fine, but there is a small problem — what the heck do those permissions mean?
Android users know that when they install an app they are usually presented with a list of permissions required by the app. iOS users get these requests as the app attempts to use the capability which requires permission. Windows and Windows Phone are hybrids. Sometimes they request a permission at install time, sometimes at run time. Sometimes they just inform you that they are using the feature without asking permission.
Most people do not pay attention to App permissions. Left unchecked, app permissions can open your device to possible data theft, spam and malware. An Android app can ask for 124 different types of permissions. According to a study, 33% of Android apps request more permissions than they need. Researchers found that only 83% of Android users paid attention to permissions when installing an app and 42% did not know what permission were for and 97% could not correctly identify what all the app permissions were used for.
For instance, when an app requests access to your device storage, what is it actually asking for? Can it modify or delete your USB storage, and why would it want to do such a thing? When it asks for access to your accounts, which accounts does it want? If it requests SMS privileges, do you know whether it could text premium pay services on your behalf? These are all serious questions, yet most people just click “download” and start using the app.
Unfortunately, it’s not always easy to understand what you’re permitting an app to do. The permissions system is micro-managed, with nuances only Google or Apple will ever fully understand. Here I will talk about a few of them to give you an idea what they mean for you and your phone.
Directly call Phone numbers
Warn me that something is going to cost me money, and you have my attention. This app permission allows apps to dial phone numbers without notifying you first. Apps like Skype, Google Talk, Google Voice, and Dialer replacements, anything tied to your phone dialer require this permission for obvious purposes.
Malicious apps can exploit this authorization to secretly call paid numbers without your knowledge. If the app is asking for this permission and has nothing to do with making phone calls, stay far, far away.
SMS or MMS related permissions
SMS apps Handcent or Chomp will need this, that makes sense, but what about an app that allows you to edit or take a picture and send it to a friend? Yep, it’s going to need to send MMS messages, too. If an app is set up for you to share media, you might see this one listed as one of its permissions.
These permissions could potentially cost you a lot of money, if malicious apps use these permissions to send illegitimate SMS or tack on extra charges onto each SMS and MMS you send. The “read your text messages” and “receive text messages permissions” can also potentially result in your privacy being compromised. If there’s no real reason for an app to require these permissions, avoid it.
Personal information – Read & modify your Contacts
More scary sounding permissions, but let’s think for a minute here. Of course any messaging app is going to need this, which makes sense. But a home screen contacts widget will need this, too. As will apps like Twitter or Foursquare, so you can share tweets or check-in information over e-mail or SMS. If an app doesn’t have any social aspect, there’s no need for this permission.
These permission to “Modify your contacts, read your contacts” gives an app unfettered access to your contacts’ data. While both can be problematic, the “modify” permission is especially dangerous since it would let an app read all the contact information you have on your phone. This includes how often you communicate with particular contacts.
Phone status and identity
The most abused, and least understood permission of them all. Some apps need to know if your phone is about to ring. Maybe they need to save state (i.e. freeze what they’re doing) for when the incoming call screen pops up, or they need to turn over audio control back to the OS.
While this permission is often safe, the potential for wrongdoing is huge, so do exercise caution when apps require this permission. This can read and send your IMEI and other identifying information back to some random server on the Internet. Often, these unique numbers are needed as piracy control, or to keep track of you without using any more sensitive personal information. The issue is when developers use these numbers for things like remembering your preferences for online services or app history. Seemingly harmless, but not the right way to handle it.
Location – GPS & Network-based location
These two are no-brainer. If an app has any mapping abilities, it needs to know where you are. If an app tells you information about finding things like businesses, it needs to know where you are. Network-based Location allows apps to retrieve an approximate location through network-based location sources like cell sites and Wi-Fi. GPS Location grants apps access to your exact location through the Global Positioning System (GPS) and other location sources like cell sites and Wi-Fi.
Navigation apps like Waze will require such information to work. Similarly social media applications want to include your location in photos and uploads. Crucially, applications which implement location-based advertising will also need access to such information. App developers can use it to gain profit from location-based ads. Malicious apps use it to launch location-based attacks or malware.
Network communication — full network access
Another permission that we see far too often. If an app has no function for you to communicate with anyone else, or any type of downloadable content, this usually means ads. To show you ads, the app needs to get them from the Internet. If the app you’re using is ad-free, has no need to contact the outside world, and doesn’t have any type of add-on content, be wary.
Allows an app to find out what accounts you have and connect with them. “Find accounts on the device” lets the app check with Android’s built in Account Manager on whether you have any accounts on services such as Google, Facebook and so on. “Use accounts on the device” lets the app ask for permission to use the account. Once this permission is granted, the app won’t have to request it again; the concern, of course, comes if the app is malicious and continues to do things in the background in your name. Another related permission to watch out for is “create accounts and set passwords“, which lets the app authenticate credentials. A malicious app can take advantage of this permission to get your password by phishing you.
The best example of this app permission is the Facebook app, which allows you to sign into your Facebook account through the app.
To be continued in the next article…