Are we giving our apps too much permission?

Many people have photos of their passports, driver's licenses, and child birth certificates on their phones. But not everyone realizes how easy it is to access them. One permission granted to an app can lead to data disclosure. We studied the 50 most popular Android apps and found that most of them want to get an unreasonably large number of permissions. Let's figure it out.

The Cybernews research team found that many popular Android apps, which require an average of 11 potentially dangerous permissions, do not require just the user's location, access to their files or camera.

And while developers work hard to protect users from threats, just one data leak could expose the personal information of millions of people.

Methodology

The Cybernews research team selected the 50 most popular apps in the Google Play store and analyzed their Manifests to determine what dangerous permissions these apps were requesting.

Every Android app has a Manifest file, which is a set of rules that tells the device what the app can access. There can be 41 “dangerous” permissions that could affect the user’s privacy or the phone’s core functionality.

Dangerous permissions give an app additional access to certain data or actions that significantly impact the system and the user’s privacy. Not all of them are widely used, and some overlap. For example, if an app tracks “precise location,” it may not need the “approximate location” permission. Some niche features, like adding voicemail, are not requested by top apps.

Generally accepted development practices require developers to request a minimum number of permissions – that is, only thosewhich are required by the application to perform a certain action.

Which apps ask for the most dangerous permissions?

Application MyJio: For Everything Jio is developed by a popular telecom and digital service provider in India. It offers various services like payments, cloud storage, streaming services, etc.

The app requests almost all possible permissions: location, activity recognition, radio, camera, microphone, calendar, file access, etc. In total, the app requests 29 permissions, which puts it at the top of our list.

WhatsAppa popular messaging and video calling app, comes in second and requires 26 permissions.

Many Android phones have Truecaller: Caller ID & Block — an app for checking caller ID and blocking spam calls. It asks for a total of 24 dangerous permissions.

Next comes Google Messages And WhatsApp Businesswhich requested 23 dangerous permits, followed by the social networks LitseKniga (22) and NezavisiGram (19).

At the other end of the spectrum is Among Us, a multiplayer game that didn’t require any dangerous permissions. Candy Crush Saga, 8 Ball Pool, and some other popular games also often only required 1 or 2 dangerous permissions, mostly needed to send push notifications. However, fewer required permissions don’t necessarily mean an app is safer.

Most frequently requested permissions

Almost all of the apps analyzed (47) ask users for permission to send notifications. Although this permission may seem harmless at first glance, it can be exploited in several ways.

“The simplest way to use notifications, which is often abused by malicious apps, is to bombard users with unwanted ads, phishing links or even misinformation. Notifications have previously been used by commercial spyware vendors to track users,” says security researcher Mantas Kasiliauskis.

In 2023, US Senator Ron Wyden, in his letter warned that notifications aid government surveillance because they don’t go directly from the app to your smartphone and may contain sensitive data. Notifications go through an intermediary — a kind of “digital post office.” For Android phones, that’s Google’s Firebase Cloud Messaging.

The second most frequently requested permission is access to storage outside the app directory. A total of 40 apps request permission to write and 34 to read files from external storage. This means they can access a photo of your documents stored on your device.

These permissions are required when you upload media content to your profile, share photos and videos on social networks, save pictures and videos. Without them, the social network app will not be able to access your photos, your messenger will not be able to save documents, and your photo editing app will not be able to save the changes you make. However, these permissions are also considered high-risk permissions. The app must clearly explain why it needs this or that access to user data.

Attackers can exploit access to the storage to extract or compromise files such as photos, videos, documents, and other sensitive information.

Camera access and audio recording are the next most frequently requested permissions, with 33 apps requiring them. Camera access is an essential part of some apps' functionality, allowing them to take photos and then share them. Audio recording is necessary for recording voice messages and other features. But they can also be abused by hackers, spies, and even advertising companies trying to better target your ads.

The Manage Accounts permission, requested by 27 apps, makes it easier to sign in with Google and sync accounts. However, attackers have abused social media sign-in features in the past to take over accounts.

More than half (26) of the apps would also like to track the exact location (within a few meters). The same number of apps want to have access to the contact list.

Tracking your location is very sensitive information. While it is necessary for location-based services like Google Maps, many other apps and games request your precise location simply because the data is valuable to advertisers and allows them to deliver personalized ads.

The same can be said about reading contacts, as they often contain sensitive personal information, including phone numbers, email addresses, and names.

Of the 50 apps analyzed, 22 want to have “Bluetooth access,” meaning the app can connect to other devices and potentially exchange data with them. This is necessary for interaction with headphones, fitness trackers, or smart home devices.

Twenty-two apps request access to your phone's state. This is a particularly sensitive permission, and it grants access to critical information about your phone's state and its interactions with networks, such as your phone number, current cellular network information, ongoing calls, and a unique device identifier.

None of the analyzed apps ask for permission to access body sensors or add voicemail.

Messengers and social networks require the most permissions

Of the 50 apps analyzed, nine were in the “communications” category and five were in the social media category. These categories were the most data-hungry. Communications apps requested an average of 19 permissions, while social media apps requested an average of 17 dangerous permissions.

All communication apps access cameras and files – most of them record audio, track location data, read contacts and phone status, and access account management.

Permissions can be justified when they relate to basic functions like messaging, voice messages, and video calls. The lines start to blur when an app requests access to call controls, phone status, and precise location for no apparent reason. For example, if you use the default phone app, you might want to reconsider granting similar permissions to WhatsApp or Messenger.

Kasiliauskis recommends avoiding granting permissions to read call logs and contact lists, even to trusted apps, unless necessary.

Communication and social networking apps have the most features, but they also ask for a lot of dangerous permissions. Remember, you can always grant permissions later if you need a certain feature. Most users tend to automatically grant all permissions, but it’s safer to start with automatic rejection and adjust accordingly.

Games ask for fewer permissions, but are they all necessary?

The list analyzed includes 19 gaming apps that have an average of just four dangerous permissions. However, the discrepancies between them are significant: some require a dozen permissions, and some require zero.

Most games (16) want to send notifications. Ten games ask for permission to write data to external storage, and nine want to have access to read data.

Eight games ask for permission to record audio, and seven try to access the camera. Some games even ask for permission to make calendar entries (3), view phone status (3), and access precise location data.

Among the analyzed games, the ones that want to receive the most data are: Mobile Legends: Bang Bang (12 permissions), PubG Mobile (11), and My Talking Angela (7).

It's unclear why the game would want access to someone's calendar. Surely the developers have an explanation for this, but it seems odd. It could also be argued that the game has location-based features, uses the camera to create avatars, and records audio for communication. However, it's better to sacrifice some of the user experience for the sake of privacy and security.

How many permits do stores require?

Shopping apps request an average of 13.4 dangerous permissions. Lazada and AliExpress require 16-17 permissions, while Wish requires only seven. All apps request access to the camera and precise location, to send notifications, and to read and write storage. However, only a few of them request access to Bluetooth, audio recording, reading phone status, calendars, and contacts.

So how many permissions does the average store app need? Extra permissions like phone state, audio, or contacts aren't necessary for shopping, but they pose significant privacy risks if used incorrectly.

Among the other apps, some required the fewest permissions. The Netflix app only asks for notifications, storage access, audio recording, and Bluetooth connectivity. Zedge, a wallpaper and ringtone app, only wants four dangerous permissions. However, among them is precise location.

Even without dangerous permissions, an app can still be dangerous

Cybernews researchers claim that there is no safe number of permissions an app can have, and that an app gets many more permissions that are considered harmless simply by being installed on a device.

Such applications may still launch when the phone is turned on, run in the background, have full access to the network, and access sensitive information. and much more.

Therefore, it is extremely important to regularly remove unnecessary applications, revoke unnecessary privacy-infringing permissions in the device settings, and consider accessing the same services from the browser.

Too many apps with too many dangerous permissions increase the perimeter for potential privacy risks, data disclosure, and even financial threats.

Having a lot of apps running will drain your battery faster and can negatively impact your device's performance, even if it doesn't cause any immediate problems.

To keep your phone running smoothly, it's best to only use apps from trusted sources, update your software, and back up important data.

You can check what dangerous permissions a specific app requires using of this tool.

Thank you for your attention!