Do App Permissions Tell Us All We Need to Know?

Granting an app a half-dozen permissions it doesn’t seemingly need is a huge problem for users on Apple and Android devices. You might have noticed, for example, how Pokemon Go requested access to see and modify nearly all information in its players’ Google accounts. Why does it need to be able to edit our information? It’s not obviously clear what the app intends to do with the information, either.

It’s blunders like these, along with Facebook’s recent data privacy scandal, that bring to light user privacy and data abuse potential. App permissions are something we deal with on a daily basis; they affect our day-to-day experience with our mobile devices. After all, if you can’t trust the software on your own phone, what else can’t you trust?

The Truth of the Matter

An Android developer recently noted that app makers can pull bearing, altitude, and single-location objects once you grant the app location access. This results in an accuracy down to “roughly which floor of a highrise you live on.”

Android’s developer documentation states “it’s a good idea to explain to the user why your app wants the permissions before calling requestPermissions(),” but we know not every app follows best practices. Some apps just add “and more” to their reason for requesting access, which just isn’t enough these days. Snapchat’s reason for requesting microphone access is “to record audio for Snaps, video chat, and more.”

Ish Shabazz is an iOS app developer. He says if you give an app permission to always have access to your location, “an API keeps track of how frequently you visit a location. There are legitimate and friendly ways that this data is used. However, if you’re nefarious, I’m sure that info could be used in non-helpful ways.”

A big part of the discomfort users feel with app permissions is not only the reason for requesting access; there is a mass confusion on what exactly these companies are doing with their users’ data. How much is being sold to ad companies? What data breaches have occurred recently? These are all important questions that are never answered or are answered with a vague response.

Android and iOS apps can access your microphone, camera roll, cameras, location, contacts, calendar, motion sensors, social media accounts, and speech recognition. In effect, these permissions could allow a bad actor to create a false identity on someone’s phone or plant false data.

No Policing Policy

Unfortunately, the authorities running the app stores and maintaining app quality control differ in their approaches to app permissions. Both iOS and Android rely on the app developers to follow their guidelines, with little to no enforcement. App makers, on the other hand, don’t want to turn off users by listing long or technical reasons for requesting access.

Furthermore, Android and Apple devices from London to Los Angeles are seeing differing permission requests, since European law and American laws vary. If the app is the same, why can permissions change?

In general, Apple has been better about policing app permissions compared to Google. The revelation that Facebook stored call logs of its Facebook app users also came with the fact that iOS doesn’t allow apps to access call logs; this means only Android users’ call logs were downloaded by Facebook. Apple requires its developers to show the “only when using the app” option for location access, which Android has yet to roll out.

What device do you have? How many apps’ permissions are you concerned about?