I tried to take complete control of all the apps and their permissions on my Android device, but I had to give up. Despite revoking all user-available permissions, apps can still run on startup, stay in the background, have full network access, access sensitive information, and use hardware. So, what can you do?
It’s convenient to auto-agree with everything your apps request for “improved services” and content relevance. However, doing this comes at the cost of increased attack vectors and privacy risks, as each compromised app could expose your sensitive photo collections or communications.
Some find themselves repelled by the notion of constant surveillance 24/7. It’s not about having something to hide but about having your opinions and decisions unaffected by suggested, tailored, and filtered content driven by self-reinforcing personalization algorithms.
However, on Android, there’s a limit to how much you can pare down your applications. While Android apps ask users for dangerous permissions, such as access to the camera or precise location, they also acquire numerous permissions without explicit consent. And users cannot revoke them without deleting or disabling the app.
For example, a simple game or app, without any additional user input after installation, may have permission to run at startup, run background service, have full network access, view network and Wi-Fi connections, check your advertising ID, and access hardware such as biometrics, NFC, or Bluetooth.
No way to be sure
“If a user downloads an Android app but denies all requested permissions, malicious actors may still be able to track and gather certain information from the user's device,” says Paul Shunk, Staff Security Intelligence Researcher at Lookout.
Some potential actions and data that malicious actors could still access include the following:
- Device metadata: Malicious actors may be able to gather basic device information such as the device model and operating system version.
- Network information: They could collect data about the networks the device has connected to, including type (Wi-Fi/cellular) and current connectivity.
- Device location: Malicious actors may be able to track the device's approximate location using alternative methods like IP address.
- Device activity: They could monitor the device's activity, such as screen on/off events or device usage patterns.
“It's important to note that while denying permissions can limit the amount of data accessible to malicious actors, they may still find ways to gather certain information. Therefore, it is crucial only to download apps from trusted sources and also carefully review the permissions requested by each app before granting them. Additionally, using a mobile security solution can help detect and protect against potential threats,” Shunk said.
And if a malicious app manages to sneak into the Google Play store, which has happened many times before, users, before downloading it, may not even be able to check what permissions the app will acquire.
“Developers alone are responsible for making complete and accurate data safety section disclosures for their apps,” a Google spokesperson commented.
You can check all the permissions the app uses by opening Settings, tapping Apps, choosing the app, selecting Permissions, tapping three dots in the top right corner, and then selecting All permissions.
Users can deny the most sensitive and dangerous permissions
Android users are accustomed to receiving notifications from apps that request permission to access certain features on their devices. They have the option to allow or deny these requests.
“Protecting our users is a top priority, and we have introduced many changes over the last several releases that enhance user privacy on Android. Users can allow some apps to use various features on your device, such as their camera or contacts list,” Google spokesperson Alzbeta Houzarova said.
Below is a list of permissions that can be allowed or denied, and what they do when turned on for an app:
- Calendar: Access your calendar.
- Call logs: Read and write your phone call log.
- Camera: Take pictures and record videos.
- Contacts: Access your contacts.
- Files: Access all files on your device.
- Location: Access your device’s location.
- Microphone: Record audio.
- Music and audio: Access music and other audio files on your device.
- Nearby devices: Find, connect to, and determine the relative position of nearby devices.
- Notifications: Send notifications.
- Phone: Make and manage phone calls.
- Photos and videos: Access photos and videos on your device.
- Physical activity: Access your physical activity, like walking, biking, driving, step count, and more.
Those permissions, usually classified as dangerous, can be changed for a single app or by permission type in the device’s settings. However, Android developers can access hundreds more permissions classified as normal, dangerous, or other.
“We also provide the “Permissions Checkup” feature to Google Play Protect that will notify users if an app’s permissions seem overly broad for its use. Android users can then make the choice to continue using the app or stop sharing their data with it,” Houzarova said.
Android applications run in what Google calls an “Application Sandbox.” Just like the walls of a sandbox keep the sand from getting out, each application is housed within a virtual “sandbox” to keep it from accessing anything outside itself (unless given permission).
Google Play is not responsible for accurate information: developers are
Google Play doesn’t guarantee that the information provided about apps in its store is accurate. Developers provide data safety forms following Google Play's User Data policy and are themselves responsible for accurate information.
“Only developers possess all the information required to reflect their data practices accurately in their apps’ Data safety section. Developers alone are responsible for making complete and accurate Data safety section disclosures for their apps,” the spokesperson said.
Google works closely with the developer community, and if it finds that a developer violates the policies, it requires the developer to correct the issue. Apps that aren’t compliant are subject to enforcement actions.
“Apps that are deceptive, malicious, or intended to abuse or misuse any network, device, or personal data are strictly prohibited,” an email by Houzarova reads. “If you want to understand more about an individual app’s capabilities and permission settings, please do reach out to the developer owning the app.”
Sometimes developers themselves do not know what they ask for
Permissions are intended to safeguard users by granting apps only the necessary access. Alan Bavosa, VP of security products at cyber defense automation platform Appdome, notes that current app development practices often lead to the opposite outcome.
“Firstly, while many mobile app developers act responsibly when requesting permissions, there are many that do not, sometimes unknowingly. There are well-documented instances of apps that have been criticized for requesting excessive or unnecessary permissions that seem unrelated to the app's core functionality. And most apps use third-party SDKs or libraries, which often request additional permissions,” Bavosa explains.
For users, the consequences of approval aren't always clear. Studies reveal that most users tend to grant permissions to avoid app disruptions.
“Permissions in Android and iOS apps can and are often exploited or misused, which is why it's important for users to be vigilant and cautious about granting them, also why it’s important for mobile developers to be judicious and transparent in the permissions they ask users to accept,” Bavosa said.
To some degree, it’s possible to limit app background activity
Deleting the app is one way to ensure that the app doesn’t access anything.
However, in some cases, users can’t even delete the unwanted third-party apps that come as bloatware with the device, many having pre-set permissions. Some cannot be deleted (for example, Upday on my Samsung device), only disabled. And users can’t revoke permissions or disable many first-party apps.
If the app must stay on your device, there’s one more option you can take to limit its background activities while not in use.
On Samsung devices, go to Settings, select Battery and Device Care, select Background usage limits. Here, you can choose Sleeping apps if you want to limit the app to running in the background “only occasionally” or Deep sleeping apps, which will make it never run in the background. Then, tap the Plus symbol in the top right corner and add the apps that you want to limit.
This option may improve your device’s battery, performance, and security, but you may not receive updates and notifications unless you open the app.
More from Cybernews:
Subscribe to our newsletter