Many mobile applications are built to connect users directly to a company’s goods or services. Often, apps are developed to take a process that was once cumbersome, such as finding directions from one place to another, and to provide a seamless user experience with information right at their fingertips. To do this, mobile app developers often need to code permissions that allow apps to take advantage of already existing user data in order to provide the end user experience. Recently, however, there has been a trend in applications requesting excessive permissions that oftentimes do not relate to their intended functionality.

Common Application Permissions

As applications are installed by users, in many cases, they do not have explicit access to the data they need, often requiring a secondary step to request access to specific user or device data. Now, with the updated policies from the Google Play and Apple App Store, these requests are becoming more transparent, giving device owners the authority to determine how an app accesses their data.

According to researchers at CyberNews, some of the most common permission requests are from over 1,000 scanned Android apps were:

• 36% of those apps requested camera permissions
• 33% of those apps wanted to track your location
• 21% of those apps asked for access to your microphone
• 7.8% of those apps asked for permission to make direct calls
• 4% of those apps wanted to access and modify your contact book
• 5% of those apps asked to read calendar events, while 3% wanted the ability to modify them

Now, some users may think that if they download a photo-editing app or messaging app, of course, these apps will need access to the camera or contact list — the functionality of the app depends on it. However, there are numerous apps in both Android and iOS stores whose functionality does not require some or many of the permissions they request and are granted. For example, gaming apps or flashlight apps notoriously request access to contact lists, camera functionality, or location details. This should make any user pause — why does an app built for gaming need access to any location data? Why does a garage door app need access to your phone’s microphone?

Application Access Pitfalls

In many cases, users who have become conditioned to believe that their personal data has already leaked during one of the hundreds of data breaches that occur each year blindly give apps access to the data on their personal devices. This can have serious consequences not only on what data is extracted but also on where this data is sent.

• Access to Device Microphone: When an app requests this permission, it now has the ability to listen to what you are doing or what may be playing in the background of your room. Many times, microphones are used to capture data for businesses to create targeted ads for consumers, as outlined in a 2019 Washington Post article about Alexa’s eavesdropping capabilities and storing audio recordings for up to four years after activation
• Access to GPS Location Information: Many applications today use location technology to serve users with a customized experience based on where they are located. For example, voucher or travel apps send push notifications to users in the area, prompting them to experience a restaurant or event near them. However, sharing location data can also put users at risk. Location data collected by apps has been attributed to the ability of stalkers to track their victims, soldier or military personnel locations to be disclosed, especially during the current conflict between Russia and Ukraine, and cybercriminals to create phishing scams around travel-related content.
• Access to Device Camera: With access to your camera, an app can take pictures anytime it wants and could possibly upload these images to unknown locations or domains. In 2020, a lawsuit, Conditi v Instagram, LLC, 20-cv-06534, U.S. District Court, Northern District of California, alleged that Instagram was secretly opening users’ cameras and collecting “data it would otherwise not have access to” by activating the app’s camera intentionally. In this case, Facebook, the parent company, blamed a bug that it has since corrected, but the implications remain — a large company with extensive access to personal data was accessing a device feature without users’ knowledge. Additionally, Bernard Meyer, Senior Researcher at CyberNews, found that Beauty Camera by Phila AppStore simply went ahead and used his device camera without even asking for camera permission.

3 Tips to Wisely Manage Application Permissions and Safeguard Your Personal Data:

1. Avoid granting app permissions that aren’t necessary for the app to work: If an application does not need access to your camera, microphone or contacts to do what you want it to do, do not allow it. You should remain vigilant about what access an app is requesting, especially in the context of the app’s intended functionality. A flashlight app does not need access to a device microphone or contact list; this is a blatant attempt by developers to use this information for malicious adware or sell data to larger companies.
2. Allow minimal permissions only when an app is in use: For iOS, apps can ask for additional functionality while in use; this can be a safe medium for being able to use some of the increased functionality of an app while also ensuring that when the app is not being used, it does not have access to excessive personal information.
3. Conduct app hygiene check-ins: As part of proactive mobile security best practices, it is always advisable to check your current app permissions and app library overall. Ask yourself if there are apps that you are no longer using; if so, do they need to remain on your device, potentially accessing your data? Are there apps that are used frequently that may need to have their permissions and access scaled back? Conducting routine hygiene check-ins will keep you on top of not only your mobile device security posture but also aware of how your data is being accessed and where it is being sent.

How Q-Scout Can Help

For App Users: 

When you download Q-Scout, you’ll be presented with valuable insights into how the current applications installed on your devices interact with your personal data. Within minutes of activating a scan, the Q-Scout app notifies you about where your data is going, excessive permissions being requested, and steps to take to address these within your device settings. Scans can be automatically set to occur, and simple notifications continuously alert you if your data is compromised.

For IT Teams:

IT Teams can define specific and clear security policies within the Q-Scout Management Console, blocking risky activities on all enrolled devices before granting access to any business-critical data. Once a policy is enabled or updated, notifications and details can be distributed through in-app notifications to all enrolled devices. Those who suddenly find themselves outside of these security standards are given detailed steps to take to self-remediate and regain access to their business applications.