Why you should ensure that all those apps on your smartphone only run with the permissions they reasonably need to do their job.
Friends mention exciting new apps or we see a promotion that requires an app to be downloaded, and the rush is on to download the app and start interacting with it. But do we consider the permissions needed by the app? Do we reconcile the permissions against functionality? Do we even bother reading the permissions? Unfortunately, the answer is probably a ‘no’, or at best it may be a ‘sometimes’.
Since October is dedicated to campaigns that promote cybersecurity and privacy awareness, let’s shine the spotlight on the growing importance of being mindful of what permissions we grant to mobile apps.
App permissions are complex, and it is not always obvious why an app may require a permission. And in reverse, it’s sometimes abundantly clear that an app probably does not need a permission. Take, for example, a battery monitoring app: does it need access to my precise location or the ability to create new accounts? Probably not.
I recently watched the Netflix documentary ‘The Great Hack’, an in-depth examination of the data company Cambridge Analytica and how data collected, mainly through social media, was being used to persuade voters in elections how to cast their vote. The narrator, Professor David Carroll, expressed concern that by the time his daughter is 18 there will be about 70,000 data points defining her. The big takeaway from the program is that data has surpassed oil as the world’s most valuable asset.
While many of the data points will come from information that is voluntarily shared through social media and such like, it’s when data is collected out of context or when least expected that is more concerning. Take the example above: a battery monitoring app needing my precise location seems to be out of context. Is the company tracking me? Why do they need this data point? The same permission is fully understood when using a map and getting directions. Without my location it would be lost. It may even feel like I have gone back in time to the days of paper maps and having no idea of where I am on the map.
A practical test
When downloading an app that provides functionality remember there are choices. To demonstrate the differences between apps that provide similar functionality and the permissions requested, I searched for ‘battery saver’ in the Google Play store. Below is a table of the first 5 apps listed (in the order they were displayed):
The above is purely to demonstrate the differing number of permissions and how key permissions such as location and file access can differ on apps that have seemingly similar functionality.
Managing the apps on your phone and the permissions they have is good housekeeping. Rather than playing Candy Crush at the departure gate or bus stop, take a few minutes to uninstall unused apps and take a look through the permissions of apps you decide to keep.
You can check the app permissions you have enabled by heading to the Apps section of the Apps & Notifications. Find the app and scroll down until you find permissions and take a moment to review them, toggling off any that you don’t think are necessary.
There is also the ability to do this by feature. For example, if you look at Camera permissions you can see all the apps that have this permission and toggle them on/off as you see fit. Declining an app certain permissions does not mean it will not function altogether, it may just limit the functionality.
If data is truly more valuable than oil, then understanding the value of our personal data is essential as companies will be motivated to collect it to generate revenue. We, the consumers, must step up and engage in controlling, or at least understanding, the data we trade with companies to gain access to their services.
written by Tony Anscombe, ESET We Live Security