Android financial apps too greedy for permissions


Android apps usually require excessive permissions. But financial apps go a step further into dangerous territory, asking for even more access and posing heightened risks to privacy and security, a Cybernews research team investigation into 50 apps reveals.

Android dominates the global mobile operating system (OS) market with a share of 70.5%, according to Statista. But while this popular OS offers developers great flexibility for creating apps, it comes as a double-edged sword in regard to user data protection and privacy.

Cybernews researchers have already shown the intrusive nature of Android apps. In the most recent research, they looked at 50 apps dedicated to personal finance, such as payment providers, investment, crypto platforms, wallets, and others.

ADVERTISEMENT

“Maintaining a balance between user convenience and safeguarding sensitive data and privacy is a crucial challenge,” Cybernews researchers write.

They found that over half of financial apps request access to a camera, precise location, storage, contacts, and phone state. Around a third of apps ask for permission to record audio, and a fifth – the ability to call or access accounts associated with the device.

Highlights

  • 82% of apps wanted to use the camera
  • 78% of apps were interested in what files you store
  • 60% of apps requested permission to track your precise location
  • 54% of apps asked for contact access
  • 52% of apps wanted to read the phone state
  • 38% of apps asked to record audio
  • 20% of apps asked for permission to make direct calls

Some of the most intrusive apps had a combination of many dangerous Android app permissions. Opening at startup and running in the foreground, some dubious crypto app may as well be a spying vehicle, as no one could tell the difference.

“A well-designed app should only request permissions essential for its functionality. Users should always exercise caution when granting app permissions and review them carefully during installation or when prompted,” Cybernews researchers warn.

Financial apps permisions

The most common sensitive permissions

ADVERTISEMENT

Out of 50 analyzed financial apps, 41, or 82%, ask for access to the device’s camera. This permission is used to access the device's camera hardware and capture photos or videos. The camera enables such features as taking pictures, recording videos, and conducting video calls. But do financial apps really need that?

“The most common use of the camera is for initial client identification. However, it would be hard to justify why the financial app needs this access after that. Users should be aware and remove this permission after the authentication process,” Cybernews researchers suggest.

The camera, privacy-wise, is one of your phone's most sensitive hardware components, potentially capturing visual information about the user and surroundings. Therefore, this permission should be granted sparingly and only with clear justification.

Of the tested financial apps, 78% want to access storage outside the app's container, including external, such as a microSD card. Those apps can read, modify, or delete files on your device, potentially risking them to data loss, theft, or corruption.

“This includes user-generated files, photos, videos, documents, and other data, making the permission very sensitive. Apps requesting this permission should clearly explain why they need to write data to external storage and how it benefits the user,” the Cybernews research team writes.

Financial apps tracking location

Tracking fine location is another dangerous consent that users are often asked to make for using a financial services app. Six out of ten tested apps prompted for permission to make your precise location visible, even though there are functions for accessing an approximate location only.

“This level of location data can be highly revealing and potentially invasive to user privacy, as it can provide a detailed picture of a user's movements, daily routines, home and workplace. It is hard to justify why the financial app needs this precision,” the research team argues.

Your contacts are interesting to 27 out of 50 tested financial apps. While enabling easy money transfers, splitting bills, or similar interactions, such permission can also lead to unwanted data scraping or misuse of contact information.

“This permission is considered sensitive, as it may contain personal and private data about individuals, including names, phone numbers, email addresses, and other contact details. Leaking such information could endanger your family, friends, colleagues, and others. If your app for share price or currency tracking prompts for accessing contacts, it’s better to refrain," Cybernews researchers suggested.

ADVERTISEMENT

The last permission, asked by more than half of tested apps (52%), is a “read phone state.” It allows an app to read the device’s phone number, network status, operator, status of ongoing calls, and more.

This information can be used to uniquely identify the user and the device, even if the app does not require users to log into any accounts, as is the case with many crypto wallets.

38% would like to listen to you

There are really few cases where recording audio is reasonable. This dangerous permission potentially leads to unauthorized audio surveillance. However, 38% of financial apps also request this.

“Recording audio can potentially capture sensitive conversations and infringe on user privacy. If no clear explanations are provided, requesting this access may indicate a potentially malicious or poorly designed application,” researchers warn.

A quarter, or 26%, of apps want to check the accounts associated with the device. This information includes email addresses, usernames, and other identifiers, which can reveal services, communication channels, and other potentially sensitive information.

Some apps would like to call and text instead of you

A substantial proportion, one-fifth of financial apps, also ask for the ability to initiate phone calls from the user's device.

Also, 12% of such apps ask for permission to read SMS, 8% ask for permission to receive SMS, and 6% ask for permission to send SMS.

“Unauthorized access to the calling and SMS function is a powerful capability that could potentially result in loss of privacy, unwanted communication, and cause financial harm. Malicious apps could abuse this by calling or texting premium-rate numbers and engaging in phishing attacks,” researchers warn.

ADVERTISEMENT

Private communication often includes multimedia messages with pictures, audio, or other sensitive information.

Even writing to contacts is among the entitlements some financial apps would not pass, as 12% required that also. This permission grants the ability to modify or write new contact information to the user's contact list.

Only one app out of 50 asked permission to read the phone number associated with the SIM card.

Delete unnecessary apps, revoke excessive permissions

Android has become more privacy-focused in recent versions, allowing users to grant part of permissions on a per-app basis. Staying informed about permissions and using these controls can help enhance your mobile security by limiting exposure to vulnerabilities.

“Be cautious when granting permissions and take action if you suspect that an app is misusing them or engaging in suspicious behavior,” researchers suggest.

To revoke the permission:

  • Go to your device's settings.
  • Navigate to "Apps" or "Application Manager."
  • Select the app for which you want to revoke permissions.
  • Tap on "Permissions" or "App Permissions."
  • Review the permissions and toggle off the consent you wish to revoke.

If you no longer trust the app or believe that it’s misusing permissions, consider uninstalling it from your device.

To uninstall an app:

ADVERTISEMENT
  • Go to your device's settings.
  • Navigate to "Apps" or "Application Manager."
  • Select the app you want to uninstall.
  • Tap "Uninstall" or "Remove."

If you believe your accounts have been compromised, change passwords and enable two-factor authentication where possible.

“The significance of potentially dangerous Android permissions lies in their potential to impact user privacy, data security, and device integrity. These permissions grant apps access to sensitive device functions and user data, and their misuse can lead to various issues”, the Cybernews team writes.

Excessive permissions, especially when combined, could invade privacy, compromise data security, create financial risks, divert resources for malicious activities, and drain the battery by affecting device performance.

How do you limit exposure to apps?

There is no definitive answer, as even the safest service could be compromised by adversaries.

A good practice is reviewing the types of permissions that the app requires before installing. While determining which app permissions are dangerous is subjective, the risk associated with permissions often depends on context and user intent. Pay attention to permissions that seem unnecessary for the app's intended functionality.

Other tips:

  • Download apps from trusted sources only, such as the Google Play Store. Be cautious of third-party app stores and sideloading apps from unknown sources.
  • Read app reviews and ratings to gauge the experiences of other users. Look for any concerning comments or reports of permission misuse.
  • Keep your Android device's operating system and apps up to date. Updates often include security patches and improvements to permission management.
  • Remember to regularly backup essential data to a secure location, such as cloud storage or a computer, to ensure you have a copy in case you need to reset your device or recover from data loss.
ADVERTISEMENT