Skip to content

Trending tags

3 Sketchy App Permissions, and how to Stop them from Ruining your Day

Tuomas Rantalainen

02.07.16 5 min. read

The mobile app is often called (at least by me) the Swiss Army Knife of the 21st century. From finding out what song is playing on the radio to turning your phone into a metal detector, the array of functionality of mobile apps is nearly limitless. Apps use different components and data in your phone to fulfill their functions, and you need to allow each app to access these parts of your phone. We call these app permissions, and in theory, they are a great way to ensure our phones and tablets stay safe…

…except most of us are a little hazy on what we are actually signing up for. App permissions aren’t always described in much detail, and we may be blissfully unaware of the fact that we give an unknown party open access to incredibly sensitive data. We want you to keep enjoying the weird and wonderful rainbow of benefits mobile apps provide, but also give you a heads up of what a few of these permissions can do, and give some general tips to avoid opening up your phone to malicious parties. These points are about app permissions on Android, as Apple does things a little differently (which you can read more about here). They’re also written with the newer Android operating systems in mind, and may slightly vary for older ones.

Contacts

According to Google, an app that can access your contacts has the ability to “use your device’s contacts, which may include the ability to read and modify your contacts”. Apps that have a social function generally need this permission to be able to use your contact information to do what they’re supposed to do. However, if an app has no need to use the information of the contacts on your phone, you should think twice about giving an app unrestricted access to those names and numbers. For instance, a malicious app could use an email address from your contacts to send you a file with a malicious link from an email address that looks just like one on your contact list.

Calendar

An app that has this permission enabled can “Read, add and modify calendar events as well as send email to guests without owners’ knowledge”. If you think that’s a lot of trust to put in an app you know nothing about, you’re a very sensible person and deserve a good pat on the back. Similar to contacts, the calendar permission can be used to know who your friends are, get their contact details and spam them. Worse still, you’re likely to have work contacts in your calendar that you wouldn’t even have in your address book. Keeping other apps out of your calendar will prevent the emails for your work acquaintances accidentally finding their way into your address book, so for the sake of your privacy and work reputation, do be careful!

Phone / SMS

If social suicide or getting malware emails haven’t piqued your interest yet (and they really should have), draining your bank account might. The short summary of these two app permissions is that they can see who you’ve called or texted, and also call or text on your behalf. I probably don’t need to underline just how dangerous this can be, so let’s instead look at when an app DOES have a legitimate reason to call or text on your behalf. Apps that replace dialers will for instance need this permission, but ringtone apps don’t. Apps that let you modify texts and attach things to them (anything that shares media) can have legitimate reasons for the SMS permission. Bottom line is, carefully consider ANY app that requires one of these two permissions.

A few tips to remember

A little care and common sense go a long way, and I’m not just talking about avoiding household accidents. Just stick to these few guidelines, and the chances of you handing over vital and sensitive data will be drastically reduced.

  • Seriously reconsider if you plan to download an app from somewhere else than Google Play (or other official app store). While Google does not have the same strictness of criteria for apps as the Apple  App store, downloading an app from an external website skyrockets the risk of it being malicious.
  • Take a few seconds to review app permissions when you download an app whose developer you do not implicitly trust, and ask yourself if an app really needs all the permissions you are giving it. A handy list of what all the current app permissions mean can be found at the Google support website.
  • Worried about apps you’ve already downloaded? You can review which apps have access to a particular permission by going to settings -> apps/application manager and touching the gear icon on the top right. From there you can click app permissions and see which apps have access to your calendar, making calls etc.

App permissions are a great way to protect the safety of devices by limiting the parts of your device they have access to, in theory. In practice, the fact that their descriptions can be ambiguous, coupled with the fact that they are not opt-in, but require your permission for the app even to function, make them easier to exploit.

Tuomas does user interface design and assorted writing tasks for privacy app Freedome VPN, which incidentally requires no app permissions whatsoever.

Tuomas Rantalainen

02.07.16 5 min. read

Categories

Highlighted article

Related posts

Close

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.