Read before clicking: Potential app permission risks

Who is allowed to do what – when it comes to the world of apps, this isn’t a straightforward question to answer. Whether you’ve got an iOS, BlackBerry or Android device, apps on all operating systems require your permission to access specific functions like network communications or the camera and microphone. While BlackBerry and Apple review the permissions prior to store approval, Google leaves this task up to the user. If you use an Android tablet or smartphone, you’ll be familiar with the list of app permissions requested prior to installation. You have a choice: Either you agree to all the app’s wishes or you have to do without the app – no ifs or buts.

Of course, many developers handle this situation responsibly, only asking for permissions the app actually needs to do its job. But the temptation to ask for a few more pieces of information than are needed is huge: Details about user preferences can be gleaned and data sold on straight away to make a little bit extra on the side. Free apps in particular are infamous in this respect. A while ago, the example of the Brightest Flashlight was in the media spotlight. While it didn’t require any permissions for it to work, it practically granted itself full access to the smartphone – the developer then sold all the data it harvested.

The app is still listed on the Play Store, it still asks for permission to access everything, and has meanwhile racked up over 50 million downloads.

An app tells you, more or less, everything it wants to know and influence prior to installation. It does this either when you actually download it or right at the bottom in the Play Store under “Permission” and “View details”. All the details of “dangerous” permissions are shown, whereas permission requests deemed less critical are not. To view them, you have to click the “Display all” tab. This can be problematic especially when it comes to updates for installed apps. This is due to a change to the Play Store’s permissions-management system (version 4.8) which saw Google introduce “simplified permissions”. Permissions are now divided into the following 13 groups:

  • In-app purchases
  • Device & app history
  • Cellular data settings
  • Identity
  • Contacts/Calendar
  • Location
  • SMS
  • Phone
  • Photos/Media/Files
  • Camera/Microphone
  • Wi-Fi connection information
  • Device ID & call information
  • Other

If you initially granted permission during installation and another permission has since changed in the same group, you are no longer informed about it. The newly requested permission is granted without so much as a whisper. To some degree the groups are also fairly unclear and this has some really surprising impacts. For instance, the “Phone” group includes the following functions: Directly call telephone numbers (including chargeable numbers), write call log, read call log, reroute outgoing calls, and modify phone state.

If you want to learn more about which app can do what, take a look at “Settings” and then “Application manager” followed by choosing the app’s name and “Permissions”. The free app Permission Viewer makes things a bit easier.

It lists every app (incl. internal system apps) and displays apps’ permission levels using colored bars. That said, knowing about potential weaknesses does not lead to greater security. To do that, you need the help of other apps such as App Guard by Backes SRT. The security company, a spin-off of Saarland University, offers a security and data-protection app for Android smartphones and tablets with Android version 2.3 and later for € 3.99. There’s also a free demo version which can monitor up to four apps. App Guard lets you monitor other apps and make subsequent changes to their permissions. Superfluous permissions can be revoked without needing root access.

By contrast, App Ops Starter is free but it only works on Android versions 4.3 to 4.4.1. The app starts Android’s integrated but hidden “App Ops” mode. It’s also possible to revoke individual permissions from apps without root access. Rooting your device opens up further options to monitor and change access permissions such as by using XPrivacy.

Everyone has to be clear about one thing: people who experiment with permissions can render an app unusable. Less experienced users should stay away from system services; otherwise the entire Android operating system could quickly become unstable.

 

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.