Android App Permissions: When Should You Worry?

Smart Phone Class Permissions for App (GEN 8/28/2013) I ask a knowable person the three most important things I should tell the class. I was told the 1st was to check the permissions for an app before you downloaded it. Well I really didn’t understand what that meant until I read the article below. With android apps you are allowed to view the permissions required by the app, with iOS apps you are not allowed to view them; I’m Apple, trust me… If you do not like the permission requirements for an app don’t download it or uninstall it; you can always find another. Android App Permissions: When Should You Worry? http://droid.usedavesvoice.com/android-app-permissions-when-should-you-worry/ Every day I see comments on apps in the Android Market (Google Play) where people give a “1 star rating” and write things like, “Too many permissions!”… or “Why do you need permission to [fill in the verb]??” I’d like to take a moment to voice my opinions about Android Permissions; what they mean, why they are necessary, how you can tell when they are too invasive, and where Google can improve on the Android API. First, I want to start with over-reaction. Too many people freak out when they see permissions required for apps that aren’t necessarily as bad as they sound. For instance, if you are installing a free game that says it needs “Full Internet Access”, “Read Phone State and Identity”, and “Modify/Delete SD Card Contents”, these permissions are acceptable in most cases. The “Full Internet Access” is most likely because the app has advertisements that are loaded over your data connection, and that is the price you pay for a “free” app. (I’ll get to Air Push ads in a minute). “Read Phone State and Identity” is common, and it usually only means that the app needs to know the “state” of the phone so that it can pause if a phone call comes in, and resume after the call has completed. And “Modify/Delete SD Card Contents” could be for a number of reasons, but don’t assume the developer has evil intentions of deleting all of the files on your storage card. More likely, this permission is to save game state, high scores, achievements, temp files, and downloaded content or graphics. Now, when should you worry about permissions? Use common sense and think about what the features of the app are, and that will help you determine if the permissions required are over-stepping their boundaries. If you are installing a Calculator app that doesn’t have ads embedded in it, then there honestly isn’t a reason for any permissions to be required. What does a calculator need Internet access for? Why would it need to track your location? Why would it want to read your contacts? If something simple like a Calculator app needed these kinds of permissions, then I’d be a little suspicious and search for another one. Apps that require “coarse” GPS location don’t really bother me if I can justify why they need my general location (is it a social app that wants to let me know what’s going on in my area?). But apps that require “fine” GPS location make me wonder why – unless its purpose is to help me navigate somewhere (like Google Maps). An app that wants to know “fine” GPS location can pinpoint you in the living room of your home, or at your favorite bar – think about that before you install an app that requires that accurate a location of your whereabouts. If an app requires permission to “Directly Call Phone Numbers” or other communication that falls under the “Services That Cost You Money”, it doesn’t mean that the app is going to call Tokyo while you are sleeping. If the app’s purpose is a Launcher, it may re-skin your dialer or supply you with contact widgets so that you can tap on a friend’s face to call them. Then the app probably needs the permission to “Directly Call Phone Numbers” because it is cutting out the need for you to dial a number by allowing you to tap on an icon/widget. The app is now dialing on your behalf. If an app has no features or functions listed in its description that lead you to believe it needs the ability to dial a phone number for you, maybe stay away from it. Trust. A big part of keeping your Android and your personal information safe and secure is actually placing trust in app developers. In most cases, you don’t know if they are large established software companies, or a 13 year old programming in his bedroom with malicious intent. So how do you know who to trust? There is comfort in large numbers. If an app has had 100,000+ downloads and a rating of 4-5 stars, chances are its pretty safe to install. Basically, that’s 100,000+ beta testers that have already taken the risk and installed the app, and if that large of a group doesn’t have bad things to say, you should feel confident. Don’t just rely on the number of downloads and the “star ratings”! Read reviews! Lots of them. I will normally scan the first 10-20 to see what the general feeling is… If I see some negative comments in the first 10-20 reviews, then I will read further. Different people and devices are going to have different experiences with just about every app out there. You may see several comments that say “App force closes”, or “Why all the permissions?”, or even “Since I installed this app, my phone is SLOW”. If you only see one or two bad comments like this among hundreds of positive reviews – then it could be operator error, or something specific to that person’s Android device. If you read enough reviews before installing an app, you can do a quick mental tally of how many bad things are said about it and make a more informed decision. I have many friends and family members that need me to “fix” their Androids frequently because it is all of a sudden running really slow, or has advertisements popping up in the notification bar, or other weird things are happening. Honestly, nine times out of ten the cause was a rogue app that they can live without anyway. Some people don’t read, they just “click, click, click”… “Are you sure you want to…”, “YES”, “Important, please read this….”, “OK”, “Do you agree to the terms of this…”, “YES!”. End User License Agreements (EULAs) are too long to read and usually written by lawyers, so nobody really reads them. The fact is, if you don’t accept the EULA, you can’t use the app… so of course you’re going to accept it. However, many times I’ve been skeptical about an app and why it wants permission to access my contact list, emails, browser history, location, etc. – and I will read the EULA. There have been instances that I declined the agreement because the EULA basically gave exclusive rights to the developer(s) to build a complete profile on me and use it for who knows what. I’m not paranoid, but even if I were willing to give up MY personal information, I have to think about the hundreds of phone numbers, email addresses, home addresses, etc. in my contact list. Would those people appreciate the fact that I handed over their information just so I could play a game on my phone? Probably not. So, even if you can’t read a EULA, skim through the “How we use your personal data” and “Your privacy” sections if the app requires permission to access your contacts, emails, location, etc. Google, you can help make permissions easier to understand! From what I’ve seen, the Android API isn’t broken down into small enough pieces, and that’s why some apps seem to require way more permissions than they need to do a simple task. In these cases, it isn’t the developer’s fault – it’s Google’s. If the app needs to pause when a phone call comes in (for instance a music app should stop playing when the phone rings), then the permission necessary to do this shouldn’t be the whole wrapper of phone commands, “Read Phone State and Identity”. Why can’t there be a direct call to the “state” of the phone, without the “identity”? Identity is your phone number, serial number of your Android device, the number of the call you’re connected to, etc. All this is being given up to the app, when all it wants to know is if the phone rings. Silly. And this is only one group of permissions. The same can be said for “Your Personal Information”, which is a pretty big wrapper that includes in it, “Read Contact Data” – which allows it to do exactly that… access to all of your phone numbers, addresses, emails, messages, etc. Maybe the app that required this massive permission only wanted to be able to remind you of your friends’ birthdays that are stored in your contact list. Oh well, Google gave them the whole enchilada… let’s hope they use your personal data responsibly. Closing. I probably sound a bit like I’m ranting, and I might be… but I feel like I answer the same questions over and over again, and fix the same problems on people’s Androids repeatedly because they don’t listen. They don’t read. They don’t take it seriously – until their phone doesn’t work and then it’s an emergency and Dave needs to come to the rescue. Just take a moment to investigate an app before installing it, that’s all I’m suggesting. A lot of people are under the impression that Androids can’t get viruses and that it doesn’t matter what they download or install. While I’ve not seen any real viruses on Android, I have seen Malware and Spyware and that’s just as bad. Have you seen the apps that are using Air Push advertising yet? They are quite annoying and you might pull your hair out trying to figure out where they are coming from and how to get rid of them. Air Push is a crafty add-on that some developers are using to pop ads into your notification bar. I hate this idea. It’s one thing to have ads INSIDE an app while I’m using it (for free), but Air Push ads can pop up at any time on your phone. That’s like sitting in front of your computer with no applications running and having popup ads display on your screen… on a PC, its considered Malware, yet for some reason it’s acceptable on my phone? I don’t think so. I’ll leave you with two links to check out on Google Play (Market): 1. This is a calculator app that requires a ton of permissions that seem ludicrous for something so simple. The developer states in the description that they are all necessary, but I’m not convinced. Click on the “Permissions” tab and take a look at the requirements. A calculator that needs “Fine GPS Location”? Why does my calculator need to know exactly where I am? If you see something like this, search for another calculator app. You’ll find plenty that require NO permissions. It’s a calculator! 2. If you are having the Air Push ads popup in your notification bar like I mentioned above, this app called AirPush Detector will scan your phone and find out which app is pushing the ads so you can uninstall it. And guess what, it doesn’t require any permissions to do this.