The mobile app is often called (at least by me) the Swiss Army Knife of the 21st century. From finding out what song is playing on the radio to turning your phone into a metal detector, the array of functionality of mobile apps is nearly limitless. Apps use different components and data in your phone to fulfill their functions, and you need to allow each app to access these parts of your phone. We call these app permissions, and in theory, they are a great way to ensure our phones and tablets stay safe…
…except most of us are a little hazy on what we are actually signing up for. App permissions aren’t always described in much detail, and we may be blissfully unaware of the fact that we give an unknown party open access to incredibly sensitive data. We want you to keep enjoying the weird and wonderful rainbow of benefits mobile apps provide, but also give you a heads up of what a few of these permissions can do, and give some general tips to avoid opening up your phone to malicious parties. These points are about app permissions on Android, as Apple does things a little differently (which you can read more about here). They’re also written with the newer Android operating systems in mind, and may slightly vary for older ones.
According to Google, an app that can access your contacts has the ability to “use your device’s contacts, which may include the ability to read and modify your contacts”. Apps that have a social function generally need this permission to be able to use your contact information to do what they’re supposed to do. However, if an app has no need to use the information of the contacts on your phone, you should think twice about giving an app unrestricted access to those names and numbers. For instance, a malicious app could use an email address from your contacts to send you a file with a malicious link from an email address that looks just like one on your contact list.
An app that has this permission enabled can “Read, add and modify calendar events as well as send email to guests without owners’ knowledge”. If you think that’s a lot of trust to put in an app you know nothing about, you’re a very sensible person and deserve a good pat on the back. Similar to contacts, the calendar permission can be used to know who your friends are, get their contact details and spam them. Worse still, you’re likely to have work contacts in your calendar that you wouldn’t even have in your address book. Keeping other apps out of your calendar will prevent the emails for your work acquaintances accidentally finding their way into your address book, so for the sake of your privacy and work reputation, do be careful!
Phone / SMS
If social suicide or getting malware emails haven’t piqued your interest yet (and they really should have), draining your bank account might. The short summary of these two app permissions is that they can see who you’ve called or texted, and also call or text on your behalf. I probably don’t need to underline just how dangerous this can be, so let’s instead look at when an app DOES have a legitimate reason to call or text on your behalf. Apps that replace dialers will for instance need this permission, but ringtone apps don’t. Apps that let you modify texts and attach things to them (anything that shares media) can have legitimate reasons for the SMS permission. Bottom line is, carefully consider ANY app that requires one of these two permissions.
A few tips to remember
A little care and common sense go a long way, and I’m not just talking about avoiding household accidents. Just stick to these few guidelines, and the chances of you handing over vital and sensitive data will be drastically reduced.
App permissions are a great way to protect the safety of devices by limiting the parts of your device they have access to, in theory. In practice, the fact that their descriptions can be ambiguous, coupled with the fact that they are not opt-in, but require your permission for the app even to function, make them easier to exploit.
Tuomas does user interface design and assorted writing tasks for privacy app Freedome VPN, which incidentally requires no app permissions whatsoever.
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018