When you install an Android app, it rarely comes with access to everything it needs. Apps require access to different components and data on our Android devices to work as intended, and in most cases, we have to grant them permission to do so.
In theory, Android app permissions are a great way to ensure our safety and protect our privacy. In practice, however, these permissions aren’t always shown prominently or described in much detail, and we may be completely unaware of the fact that we just gave a beauty camera app our full blessings to record audio, track our location, or go through our contacts list. In fact, some apps harvest our data even when we deny them access to personal information. And the situation seems to only be getting worse with each passing year.
With that in mind, we at CyberNews wanted to see if requests for dangerous permissions in Android apps are really getting out of control. To do this, we examined the top 1020 apps on the Google Play store and analyzed the permissions they were asking for.
What we found was rather alarming: requests for dangerous permissions were incredibly common among the top Android apps. Not only that, permissions that are particularly invasive, such as access to your camera, location, and microphone were frequently requested by apps in categories that should have no business asking for them.
In principle, app permissions are supposed to prevent others from violating your privacy by letting you control what data you give up. Sadly, when every other app wants to track your location or read you call logs, it seems that the principle might no longer hold true.
Click to jump ahead:
- Apps in the Health and Fitness, Communications, and Productivity categories asked for the highest number of dangerous permissions on average.
- 36% of apps requested camera permissions.
- 33% of apps wanted to track your location.
- 21% of apps asked for access to your microphone.
- 7.8% of apps asked for permission to make direct calls.
- 4% of apps wanted to access and modify your contact book.
- 5% of apps asked to read calendar events, while 3% wanted the ability to modify them.
How we collected and analysed the data
In order to conduct this investigation, we downloaded the top 1,020 apps (sorted by total install count) on the Google Play store, separated these apps into their respective categories, and analysed their manifest files for permission data.
During our analysis, we used Google’s permission policy from the official Android developer portal as the standard to identify dangerous permissions that allow apps to access your private data.
Individual apps vs. app categories
For each individual application we analysed, we generated a list where we looked at how many permissions the app was requesting overall and how many of those were dangerous.
To gain a better understanding of the necessity of asking for dangerous permissions, we also looked at how those permissions were distributed across app categories. To do that, we assigned two permissions lists to each app category: the total number of permission requests per category, and the number of unique permissions per category, where we didn’t count recurring permissions asked by multiple apps in the same category.
To see which app categories included apps that requested the highest number of dangerous permissions on average, we created a danger score index for app categories, where we calculated the average percentage of dangerous permissions requested by apps within a given category. We derived these scores by dividing the number of unique dangerous permissions by the average number of overall permission requests in the category.
The most common permissions
Unsurprisingly, the most popular permissions, requested by 99% of top Android apps, were those for full network access and the ability to view network connections, which allow an app to connect to the Internet, while 72% of apps asked for permission to view wifi connections.
Meanwhile, the permission to run at device startup, which allows an application to start without prompting the user when booting up the device, was also asked by the majority of the apps we analysed, clocking at 64%.
When it comes to dangerous permissions, requests to read external storage (77%) and modify or delete external storage (73%) were made by approximately three in four apps. On the one hand, these are generally used by apps to read and store app- or user-related data on the device or things like external SD cards. On the other hand, these permissions can be very dangerous if the app gets compromised: the threat actor would get full access to your mobile storage.
Apps in these categories ask for most dangerous permissions
As we can see, apps from the Communication (49%), Lifestyle (48%), and Maps and Navigation (47%) categories had the highest percentages of unique dangerous permission requests compared to apps in other categories.
Does it mean you should immediately delete your favorite navigation app or cancel all your remote meetings? Of course not.
“It goes without saying that apps from any category might ask for dangerous permissions. For example, you’d expect a communication app to ask for access to your phone book and Android accounts, while a navigation app wouldn’t raise any eyebrows by asking to track your location,” says Vincentas Baubonis, CyberNews security researcher who analyzed the app data. And if you were to block all dangerous permissions for every app, none of them would work.
But even though they might pose no danger right now, most of the apps from these three categories want to have nearly universal access to your device and the data stored on it. According to Baubonis, this means that they have the potential to become incredibly dangerous if compromised. In fact, there are many examples of threat actors exploiting bugs in legitimate apps that have escalated permissions to gain access to your data.
“So, before you install an app from any of these categories, be extra careful when making sure it only asks for permissions that are necessary for it to function,” concludes Baubonis.
36% of apps want to use your camera
Having the ability to take out your phone and take a picture with the click of a button has become an integral part of owning a smartphone.
However, letting an app use your camera can sometimes backfire. For example, attackers can take control of apps that are allowed to use the camera in order to take photos and record videos via malicious applications that have no permissions to do so. And this can be especially relevant if the app in question has no reason to use your camera in the first place.
To illustrate the point, our analysis found that 36% of apps ask for permission to use your camera.
Does every third Android app really need your camera to function?
The answer is ‘probably not’: after filtering out apps from categories where using a camera would make sense, such as photography, parenting, dating, social, beauty, etc., we were left with a whopping 151 apps that request camera permissions in categories like gaming, personalization, and even astrology. This was the first (but far from the only) time we were left scratching our heads at the number of apps asking for seemingly unnecessary permissions.
One in three apps would like to track your location
Another pair of dangerous permissions, whose prevalence among top Android apps was quite unexpected, were related to tracking your whereabouts. Just like with using your camera, the ability of an app to see where you are at all times is highly sensitive and invasive.
And yet, 33.5% of apps we analyzed asked for permission to view your precise location, while 31% wanted to at least know your approximate location based on network signals.
Once again, we excluded the usual suspects like weather, sports, navigation, and dating apps, which would presumably require your location data to do their jobs. What we were left with were 108 apps from categories like wallpapers, fonts, and casual gaming, which needed to track your location because of… reasons?
One in five apps wants to record your conversations
Unless it’s about communication, social media, or virtual assistance, you should always be sceptical when an app asks for permission to access your microphone. Otherwise, granting this dangerous permission to less than reputable apps may result in your conversations being recorded without your knowledge by third parties. And mind you, even some of the top apps on Google Play in a given category can be far from reputable.
In light of this, seeing 21% of the top 1020 Android apps ask for microphone access was quite unsettling, to say the least.
Now, what would a wallpaper app be without the ability to record your conversations?
This is precisely the question we asked ourselves after we filtered out the app categories whose microphone permission requests made sense. This time, we were left with 148 apps across 13 categories like finance, lifestyle, and yes, wallpapers, asking for permission to eavesdrop on you and those around you. Creepy.
Making direct calls to your contacts
Out of the 1020 Android applications we analyzed, 80 apps (which amounts to about 8%) asked for permission to make direct calls. Fortunately, most of these apps were from categories like communication, business and social media, where the ability to make calls made at least a modicum of sense.
With that said, we also noticed that 23 apps in categories such as weather, books, and music were asking for permission to directly call other phone numbers. While less prevalent than the likes of camera or microphone access, this permission is no less dangerous.
What’s more, out of those 80 apps, more than half (43) ask for permissions to add, modify, or delete your contacts, with 15 apps coming from categories that should have no reason to access your phonebook, such as gaming, photography, and – you guessed it – wallpapers.
Apps with social features usually need such permissions in order to function. However, you should think twice about giving contact-related permissions to apps that have no need to use such information.
For example, a malicious or compromised flashlight app that you absent-mindedly gave the permission to modify your phonebook could use an email address from your contacts to send you a message with a phishing link.
Or, coupled with making direct calls, contact permissions can be exploited by threat actors by adding and calling paid numbers from your phone in order to balloon your phone bill or drain your prepaid credit in a matter of hours.
Messing with your calendar
If you grant an app calendar permissions, it means you let it “add or modify calendar events and send email to guests without owners’ knowledge.” Much like with contacts-related permissions, bad actors can use your calendar against you for a variety of purposes, including stealing your personal data or scraping and spamming your entire contact list with malicious messages.
Thankfully, less than 5% of top Android apps asked for permission to read the calendar, and only 3% wanted to add or modify calendar events.
But even then, after sifting out applications from categories like business, productivity, events, and social, we were left with notable exceptions. Hailing from categories such as music streaming, beauty, and weather, 17 apps asked for permission to read the calendar, while 15 wanted to modify calendar events.
Dangerous permissions on Android: how much is too much?
Presumably, Android permissions were created to protect our privacy. And on paper, they might do just that. But when was the last time you saw an app only ask for normal permissions?
The percentage of apps that needlessly ask for unrestricted access to our whereabouts, device usage, and communications is highly alarming, if not objectionable.
And with so many Android apps requesting so much access to our data, what happens when that data gets into the wrong hands? It’s almost every week that we hear about a new cybercrime campaign that was able to infiltrate another massively popular app on the Google Play store and expose the data of tens of millions of unsuspecting people.
How can we lessen the risk of such privacy and security disasters? Well, it might not be the ultimate be-all end-all solution, but asking for less unnecessary permission could be a start.
Keep this in mind when granting permissions to Android apps
If you’re concerned about the privacy and safety of apps on your Android device, here’s what to look out for:
- Too many permissions: if a flashlight app insists on accessing your microphone, consider looking for a less invasive option.
- Developers you’ve never heard of: if an app is not made by a reputable company, consider sticking to trusted options from developers you already know, no matter its popularity. Billion-strong download counts guarantee neither quality nor security.
- If it’s free, you’re probably the product: many free Android apps engage in unethical advertising or simply mine your data and sell it to third parties. In light of this, make sure to take it into consideration before granting dangerous permissions to any free app.
More great CyberNews stories:
Subscribe to our monthly newsletter