facebook permissions

If you’re really honest, do you actually read the permissions that Android apps are asking for before you install them? If you do, then there’s little doubt that you’re in the minority. Most of us treat them like terms and conditions, blindly clicking, or tapping, our way through. Is this something we should be taking more seriously? What are we actually giving away here?

Developers are well aware that most people don’t pay much attention to permissions and a lot of them have been surreptitiously adding more and more permissions to the list. Take a look at this chart of permissions for some of the most popular apps and games around.

Do these apps really need all these permissions? If you dig into the list, which you can find via the View details link under Permissions on the Play Store page for each app, then you’ll find some pretty puzzling requests.

The popular game Cut the Rope, for example, requests permission for your Location and yet the Privacy Policy from developer, ZeptoLab, specifically states “Geo-Location Data. ZeptoLab does not ask you for, access, or track any location based information at any time while downloading or using ZeptoLab’s mobile applications or services.”

I emailed and asked about it and here’s what Community Manager, Olga Antsiferova told me,

“Location data is needed for advertising SDKs to show people the ads which are relevant to their country. It is also used in both free and paid version of our games to identify countries with COPPA law. Finally, it is used in analytics, but it is important to understand that we gather only general, not personified info (i.e. “today we received 10k downloads from UK”) and we do not track individual devices.”

I’m not singling Cut the Rope out for any particular reason, by the way. You could pick an app at random and probably find a permission that’s puzzling at first glance.

What’s the problem?

A spotlight, or flashlight, was thrown on the issue a while back when popular free app Brightest Flashlight turned out to be selling location data and device ID information to third party advertisers. It transpired that it was far from the only app engaging in a fire sale of our personal data. A lot of flashlight apps are asking for permissions they absolutely do not need to function. It’s not a phenomenon that’s restricted to flashlight apps.

flashlight apps permissions chart

In all likelihood what we’re talking about here is the sale of anonymized data to advertisers, so that developers can generate a little extra cash. Some of you might be okay with that. But you’re actually putting a lot of trust in these developers. It’s one thing to trust that Google isn’t going to do anything untoward with your personal data (and some people struggle with that idea), but how much do you know about the publishers and developers behind the apps you’re using, or the third-party advertising networks that they work with?

Is there a worse scenario? Are you giving them the permission to do things like upload all your personal photos to a web server or sell your contacts list? While it may be technically possible in some instances, it’s extremely unlikely that they’re actually doing that, it’s illegal and they wouldn’t get away with it for long. The most likely explanation is generally innocuous — an app might want access to your photos to allow you to upload an image directly in the app without having to jump through hoops or quit the app and start up the gallery app.

The problem is that most people don’t really know what the permissions mean, they aren’t willing to research it, and they don’t want to have to. What they really want is to be able to trust that someone else is looking out for them.

Google does have your back, up to a point

The Play Store is pretty secure. Google does a lot of work behind the scenes to make sure that the apps on offer are safe. Most of the scaremongering about malware on Android is designed to sell security apps. If you only ever download apps from the Play Store with high numbers of downloads and a good review score, and you don’t tick the Unknown sources box in Settings > Security then you realistically have nothing serious to worry about.

google verify apps defense (2) Quartz

The trouble kicks in if you’re concerned about privacy. If you don’t like the idea of giving strangers potential access to a lot of personal data. If you don’t like the idea of them collecting information about your habits. There’s a gray area of acceptability there that Google isn’t policing.

Your only real option if you don’t like the permissions that an app is requesting is to not install it. But, why is that the case?

Puzzling changes

Google simplified app permissions last summer (some people will say dumbed down) and things are grouped into sections now. This was supposed to make it easier for people, but it actually makes it tougher to see what specific permissions you are granting. It also means that an app can request a new permission in an update and if you’ve already granted a permission in that section it’s automatically granted without your say-so.

We need better control over permissions

There are a lot of other ways this could work. You could be asked for a permission when an app actually needs to use it, but this could arguably impair the user experience. You could also have a clear menu where you can go in and deny specific permissions, or tell the app to ask when it needs that permission. Something like App Ops which Google rolled out and then retracted.

Google brought App Ops out in Android 4.3, though it was never advertised. It was quietly removed in Android 4.4.2. It allowed you to revoke specific permissions for apps. Officially Google claimed it was only ever intended for developers. It’s possible part of the reason it was removed was to prevent stability issues for apps if users started revoking permissions all over the place, but realistically it probably had a lot more to do with advertising revenue. If you could use free apps and easily block permissions that generate ads (and revenue for the developers) then you probably would, right? That could make Android app development unprofitable for many.

What can you do?

The bottom line is that most developers are asking for permissions because of some function or feature in the app and the request is legitimate. There’s another tier of apps that are trying to turn a profit by selling anonymized data. Unfortunately it’s not always easy for the average person to tell the difference. If you’re concerned, then make sure you read the permissions and the privacy policy. There’s no substitute for doing a little digging to see what you can uncover. If you routinely download apps from outside the Play Store then you really can’t afford to ignore permissions.

You can find a bunch of permission managers in the Play Store, many confusingly called App Ops or some variant. If you’re rooted then check out X Privacy Installer for smart protection that won’t make the apps fail.

Tell us what you think. Do you read app permissions before every install? Are you worried about leaking personal info? Do you care about anonymized data for advertisers? Is Google doing enough to protect our privacy?

Simon Hill
Simon is an experienced tech writer with a background in game development. He writes for various websites and magazines about the world of tech and entertainment. He uses Android every day and is currently permanently attached to his Galaxy Note 5.
  • mirekk

    I reduce the number of apps with “critical” permits (contacts, call log, location, mike, camera) installed on my smartphone to bare minimum, thus reducing the number of third parties that have access to such data.

  • namesib

    XPrivacy. :)

    Go Launcher is ridiculous though; I was using it in when I had the S2 and noticed it was transferring data quite frequently, even when I disabled any settings that would require a connection. I’m not using anything from that company any more.

    • TDN

      Yeah, I used Go for about ten minutes and realized it is a dumpster fire.

  • Miguel

    Fast for Facebook has very few permissions ;)

  • Reap

    Good issue to address, thank you for that AA! Personally I think this is the absolute biggest problem on Android right now, and the only thing I have ever been jealous of, of the iDevices. I hope in the future you don’t accept permissions beforehand, but only when the app need access to them. I am not here for the apps, the apps are here for ME! Let me decide what an app can do on my phone not the other way around…

    • mi

      using xiaomi phone with built in permission manager. full control here.

      • Tomi Gjeka

        Appops does the job done quite well ;)

  • Roby

    That feeling when you install an app without permissions…

  • I run Chroma ROM on my N5, and disable most permissions with the built in AppOps.

  • cattleyah

    Yes, yes we should. We should also demand Google the option to revoke permissions and be more explicit about them.

    You know, like BlackberryOS and J2ME did in 2004.

    • Mike W.

      They did for about 10 minutes, remember when the released that dev app? It’s really unconscionable that Google doesn’t allow users to control this. Some enterprising law firm is going to empty Google’s pockets the first time there’s a massive data breach.
      Google clearly sees the risk, clearly has the means to mitigate it, but chooses to recklessly put their customers at risk. Big class action $$’s.

  • W. Jurewicz

    It would be nice to have a sandbox where you could see what specific permissions/components were being used and at what time, and be able to feed random/customized data where need be.

    Edit: Something that would tell me whenever my microphone/camera is turned on without my knowledge.

  • frhow

    Root, then download App Ops and uncheck what you dont want.

  • mantrik00

    Simple solution is for Google to scrutinise apps & determine the maximum number of permissions required vis-a-vis the functionality of an app. Or, at least Google should set a more stringent criteria for allowing developers app permissions that are more intrusive and potentially dangerous. But sadly, if Google were to set such a criteria most of its own apps will fall in the wrong side of the devide.

    • TDN

      Unfortunately, I don’t think Google wants to sink that many man-hours into policing their app store, they rely on user feedback to weed out the bad apps and remove them post damage. It really is a bad policy.

  • Charles7

    I block 90% of app permissions and don’t have a problem with then working……. a major reason I’ll always be rooted.

    Google doesn’t want users to have control over their privacy, makes data mining and advertising more difficult.

  • TDN

    “It also means that an app can request a new permission in an update and if you’ve already granted a permission in that section it’s automatically granted without your say-so.”

    This is inaccurate and slightly “scaremongering” itself. Whenever an app needs a new permission, the user must approve the installation, whether they have auto-update on or not. I’ve seen numerous apps add permissions within a group and they still have to be approved.

    The real threats to security are the following:
    make phone calls
    send SMS/MMS
    read contacts
    write contact data
    read sensitive logs
    modify global settings
    display system level alerts
    change configuration
    expand status bar
    format file systems
    write secure settings
    install shortcut
    authenticate accounts
    install DRM

    But even these permissions can be okay in the right context.

  • Jake

    This is actually one of the primary reasons I switched to the iPhone 6 last fall. It seemed like almost every Android app wanted access to your contacts or your location and your only choice is to not use the app. The nice thing about iOS is you have fine-tuned control over what apps have what permissions, so I can still use Facebook for example without giving them access to my contacts or location.

  • carol argo

    You know the TLS was forcefully dropped to ssl3?I met a similar acting thing ,it forcefully send me from say edge or better networks to g speed ,the odd part?you cant get out of g speed.you all need a restart.I was thinking of a bug,but it only does it at specific area,I will wait for google to be done reverse engineering ,but first thing that came to mind was :another tls1 to ssl3 bug but at another level.so permission?lol I bet android will adopt S.Q.R.L soon so I don’t think the permission system is broken(if you stick to google play,and if you meet a rogue app report it to google ,they all ghost intal and see if it behave

  • I use CyanogenMod with its built in Privacy Guard, so I’m covered. I think the permissions /system in Android does need an overhaul, though.

  • JG01

    I work in the IT sector and have been saying this for years… Google Android is NOT secure !! People forget how Google make their money…. they make it buy selling information !! Information they gather from web services and now the android platform which they created. They have been collecting data on every user since android was first launched. With the race to grow the app store, they allowed anyone to develop an app and publish it (I mean anyone! ) with no oversight, they just wanted their cut of the price of the app. Now some of the biggest scams has occurred on the android platform with apps from the Google Play store. Google can also change their terms & agreements at will with or without your consent. If you use their software, then you are subjected to their terms, like it or not. Google is not your friend, nor is Facebook . They sell your information. The number one thing that people like about Android, is the ability to customize their phones. Both Apple and Microsoft are getting better at this allowing customization and are far more secure than Android. It will take Google the new two years to catch up to Apple and Microsoft for security. So, do you want to be vulnerable to the next two years?