Do you have a photo of your ID on your phone? If so, do you know who else can access it? A single overly broad permission can lead to data exposure, yet most apps don’t stop at just a few dangerous permissions. Here’s what we found about 50 popular Android apps.
A user’s location, files, or camera just aren’t enough for many top Android apps, which require 11 dangerous permissions on average, the Cybernews research team has discovered.
And while developers may be working hard to protect users from threats, a single compromise can expose the personal data of millions.
Methodology
The Cybernews research team selected 50 of the most popular apps on the Google Play Store and analyzed their Manifest files to determine what dangerous permissions the apps are requesting.
Every Android app has a Manifest, which is a rule book telling the device what the app can access. In total, there may be 41 “dangerous” permissions that could affect user privacy or core phone functions.
Dangerous permissions give the app additional access to restricted data or actions that substantially affect the system and sensitive user data. Not all of these are commonly used, and some overlap. For example, if an app is tracking “fine location,” it might not need “coarse location” permission. Some niche features, e.g., adding voicemail, are not requested by top apps.
Best practices require developers to request a minimum amount – only the permissions that the app needs to complete a particular action.
Which apps ask for the most dangerous permissions?
The MyJio: For Everything Jio app is developed by a popular telecom and digital services provider in India. It offers various services, such as payments, cloud storage, TV streaming, and others.
The app requests permissions that check almost all the boxes: location, activity recognition, radios, camera, microphone, calendar and file access, and others. In total, the app asks for 29 permissions, claiming the number one spot in the list.
WhatsApp, a popular messaging and video calling app from Meta, takes second place, requiring 26 permissions.
Many Android phones include the Truecaller: Caller ID & Block – a caller ID checking and spam call blocking app. It asks for a total of 24 dangerous permissions.
Google Messages and WhatsApp Business are next, requesting 23 dangerous permissions each, followed by social networks Facebook (22) and Instagram (19).
On the other hand, one app – Among Us, a multiplayer game – required zero dangerous permissions. Candy Crush Saga, 8 Ball Pool, and some other popular gaming apps also often only asked for 1 or 2 dangerous permissions, mostly for pushing notifications. However, a lower number of permissions doesn’t necessarily mean the app is safer.
The most requested permissions
Almost all analyzed apps (47) ask users for permission to post notifications. While this permission might seem innocuous at first glance, it can be exploited in several ways.
“The simplest exploit of notifications, often abused by malicious apps, is to bombard users with unwanted ads, phishing links, or even misinformation. However, due to the implementation of this system, notifications were previously exploited by commercial spyware vendors for tracking users,” said security researcher Mantas Kasiliauskis.
In 2023, US Senator Ron Wyden warned in a letter that notifications facilitate government surveillance as they don’t travel directly from the app to your smartphone and may include sensitive data. Notifications pass through an intermediary – a kind of “digital post office.” For Android phones, this is Google's Firebase Cloud Messaging.
The second most requested dangerous permission is access to storage outside the app’s directory. In total, 40 apps ask permission to write, and 34 read files from external storage. This means they could access an ID picture that you stored on your device.
“These permissions are essential when you need to upload media to your profile, share stories on social media, store photos or videos. Without them, Instagram can’t access your photos, your messaging app can’t save documents, or your photo editing app can’t store your creations. However, these permissions are also considered high-risk. The app should clearly explain why it needs this access to user data,” Kasiliauskis said.
Malicious actors could exploit access to storage to exfiltrate or compromise files, such as photos, videos, documents, and other private information.
Access to the camera and recording audio are the next most requested permissions, with 33 apps asking for them. Camera access is integral to some apps’ functionality, allowing them to capture and share photos. Recording audio is required to provide voice messaging and other features. Those could also be abused by malicious actors, spies, and even advertising companies trying to better target their ads.
The “Get accounts” permission, requested by 27 apps, allows streamlined sign-in with Google and account syncing. However, malicious actors in the past abused social login features to hijack accounts.
More than half (26) of the apps would also like to track precise (fine) location, meaning they can pinpoint user location within a few meters (10 feet). The same number of apps want to read contacts.
“Tracking your whereabouts is highly sensitive and invasive. While it is essential for location-based services, such as Google Maps, many other apps and games ask for a fine location simply because this data is valuable to advertisers to deliver personalized ads,” Kasiliauskis said.
“The same can be said for reading contacts, as those often include sensitive personal information, including phone numbers, email addresses, and names.”
Out of 50 apps he analyzed, 22 want “Bluetooth connect” access, meaning the app can pair with devices and potentially exchange data with them. This is needed for interaction with headphones, fitness trackers, or smart home devices.
Twenty-two apps also ask to read your phone state.
“This is a particularly sensitive permission, granting access to critical information about the phone's state and its interactions with the networks, such as phone number, current cellular network information, ongoing calls, and unique ID of the device,” Kasiliauskis said.
Not a single analyzed app requests permission to access body sensors or add voicemail.
Communication and social apps are most hungry for data
Of the 50 apps analyzed, nine belong to the communication category, and five are social networks. These categories were the most data-hungry. Communication apps requested nearly 19 permissions on average, while social apps averaged 17.2 dangerous permissions.
All communication apps access cameras and files – most record audio, track location data, read contacts and phone state, and get accounts.
“Permissions can be justified when they relate to core functionalities like messaging, voice, and video calls. The lines start to blur when an app asks to manage calls, access phone state, and precise location without clear benefits. For example, if you’re using a default phone calling app, you might reconsider granting similar permissions to WhatsApp or Messenger,” the researcher said.
Even for reputable apps, Kasiliauskis suggests avoiding granting permissions for reading call logs and contacts if not necessary.
“Communication and social apps are the most feature-rich, but they also request most of the dangerous permissions. Remember, you can always grant permissions later if you need a specific feature. Most users tend to automatically grant all the permissions, but it’s safer to start with auto-reject and adjust on the go,” Kasiliauskis said.
Truecaller spokesperson told Cybernews that the company is always transparent about stating which permissions are needed and why during initial onboarding, on their support pages, and this is also always clearly communicated by their support team.
“Truecaller never asks for any unnecessary permissions. Each permission corresponds to one or two specific features within the app. In addition, most Truecaller permissions are optional. Denying optional permissions simply means that the specific feature related to that permission will not work - however, the app's core features of Caller ID and spam blocking will continue to function,” the spokesperson said. “We strongly believe in this transparency, and we strongly believe in consumer choice.”
Games ask for fewer permissions, but are they all truly necessary?
The analyzed list includes 19 gaming apps, which averaged only four dangerous permissions per app. However, the discrepancies among them are considerable, with some requiring a dozen permissions and some – zero.
Most of the games (16) want to post notifications. Ten games will ask permission to write data to external storage, and nine want to read the data.
Eight games ask for permission to record audio, and seven will try to access the camera. Some games even ask to write to the calendar (3), read phone state (3), and access fine location data.
Among the analyzed games, Mobile Legends: Bang Bang (12 permissions), PubG Mobile (11), and My Talking Angela (7) were the most data-hungry.
“It’s questionable why a game would need access to one’s calendar, but I’m sure the developers would have an explanation. One could also argue that a game has location-based features, uses the camera for avatars, and records audio for communication. However, it’s often better to sacrifice a bit of user experience in favor of privacy and safety.
How many permissions does a shopping app require?
Shopping apps request an average of 13.4 dangerous permissions. While Lazada and AliExpress require 16-17 permissions, Wish only needs seven. All apps will ask to access the camera and fine location, post notifications, and read and write to storage. However, only some will also ask for Bluetooth access, record audio, and read phone statements, calendars, and contacts.
“One has to ask how many permissions a basic shopping would require, and different apps seem to have different requirements,” Kasiliauskis noted. “Excessive permissions, such as access to phone state, audio or contacts, are not essential for shopping, but pose significant privacy risks if misused.”
Among the other apps, some were some of the least data-hungry. The Netflix app only requests to post notifications, access storage, record audio, and connect to Bluetooth. Zedge is an app for wallpapers and ringtones, and it only wants to have four dangerous permissions. However, fine location is one of them.
Even with zero dangerous permissions, an app can still be dangerous
Cybernews researchers assure us that there’s no safe amount of permissions an app can have. And the app gains many more permissions that are considered non-dangerous just by being installed on the device.
Such apps can still run on startup, stay in the background, have full network access, access sensitive information, and more.
Therefore, it’s crucial to regularly delete unnecessary apps, revoke excessive privacy-invading permissions in the device’s settings, and consider accessing the same services from the web browser.
“Too many apps with too many dangerous permissions increases the potential surface for potential privacy risks, data exposure, and even financial threats,” Kasiliauskis said.
“Having numerous apps drains the battery faster and can negatively impact your device’s performance, even if no immediate issues arise.”
To keep your phone healthy, he also recommends sticking only to apps from trusted sources, such as official apps, being aware of third-party app stores or sideloaded apps, keeping the software up to date, and backing up essential data.
Check what dangerous permissions a particular app requires using this tool:
Updated on September 24th with a statement from Truecaller.
Your email address will not be published. Required fields are markedmarked