Tips to utilizing app permissions in the world’s most popular mobile operating system. – by Ian Grutze, Senior Global Product Manager
Mobile devices are amazing tools that can enrich your life in many ways. Need to solve a problem…? There’s probably an app for that. As these devices mature, and as we weave them into our daily lives more, there is a cost tradeoff that you should be mindful of: “privacy vs convenience.”
Think of a navigation app for example. It can be very helpful when you’re out and your phone tells you that it will take 22 minutes to drive to that calendar appointment you have across town in 30 minutes. In order to do this, the app has access to your GPS location and your calendar, potentially monitoring these all the time. This may or may not be something with which you’re comfortable sharing. You’re getting some very helpful automated reminders, but someone/something knows your location and your schedule. If this doesn’t sit right with you, what can be done?
The Android operating system gives you options to deal with this kind of situation, giving users the ability to customize app permissions. Open your Android settings and look for something like “App Manager” or search for “permissions” (it can vary depending on what version of Android you are running).
Settings menu from Google Pixel XL, running Android Oreo.
From here you can manage which apps are allowed to use various services, such as: Camera, Location, Contacts, and more. There are some pretty serious options as well, like the ability to draw over other apps, or lock and erase all the content on a device. Taking the time to customize these in your favor can have many benefits and doing so gives you a better sense of what your apps are capable of.
When reviewing an app, think about which permissions it requests access to and whether or not it makes sense for that app to need such a service.
Maybe that popular candy game doesn’t need access to your contacts list. Try disabling access and see if you still enjoy the app. Even if the app has good intentions (and isn’t doing any shady behind-the-scenes tricks), if you don’t gain value from it, it’s often better to disable the permission. Depending on the situation, denying a permission can help maintain your privacy, reduce data usage, or save on battery drain and other device resources.
App Info menu from Google Pixel XL, running Android Oreo
Trust in the app developer is an important thing to consider when thinking of permissions access. An app with control of your camera should make it obvious when they’re using it—for example, by showing you a preview on screen of what the lens sees—but it’s important to know that technically, it doesn’t always do that. Some apps with microphone access may listen in without you knowing. Perhaps they’re using automated speech recognition to pluck key words from your conversations, to enrich your experience with the app, OR they could sell such information to advertisers. If you don’t know and trust the app developer, there are many things they could be up to that go unnoticed.
The more potential for invasiveness in a permission, the more you should consider the source. Do some background research on the publisher or app, and try to learn if it’s safe. In general, it’s a good idea to review the permissions of all apps on your device (especially ones you chose to download yourself, as they were not vetted by your phones manufacturer) and disable access you think may not be necessary. Often times, an app will continue to work fine without 100% of their permission requests granted. It may just be missing some functionality that you did not care about anyway, or weren’t intended to even know about.
Beyond major to minor invasions of privacy, or just the uneasy feeling of certain types of your personal information existing in some companies’ databases (which could theoretically be breached), there are some extremely harmful side effects that can come with granting the wrong app too many permissions. Trend Micro’s Mobile Threat Response team has been researching mobile malware and logging its continued growth for years. They have discovered malicious app developers will use permissions to their advantage and your loss.
A prime example: Banking attack apps that to you look like a harmless game or tool. If given the permission to know what other apps are open and overlay their own UI on it, they can replace the login credentials screen of popular banking services with their own, stealing any user name and password combination you enter. Another example is mobile ransomware, which seeks to disable all your files, or your entire device, from use, until you pay a digital currency ransom to undo this attack.
In an extreme case like this, with clear intent of harm, it’s no longer a choice of “privacy vs convenience,” but of identifying apps that are malware and deleting them. I recommend finding a trusted security vendor, installing their app, then granting the appropriate permissions to let it help you stay safe.
Trend Micro offers Mobile Security on Google Play, with features that scan for malware, and report privacy concerns for your installed apps. This gives great visibility into what parts of your phone are being used by other apps, and tools to manage them.