AHMEDABAD, Gujarat—Your phone is the most personal piece of tech you own. It holds your private chats, knows where you are and have been, tracks your every Internet move, and is equipped with multiple microphones as well as cameras. So when an app asks for a permission that grants it an all-access pass to one of your phone’s sensitive data modules, it’s wise to tread cautiously.
But on Android, which still features a lax set of design guidelines and ambiguous permissions, it’s difficult for users to gauge an app’s data request.
Take Paytm, for instance. Say you are installing its app for the first time to pay an electricity bill or recharge a phone number. As soon as you launch the app, you’re presented with three consecutive permission prompts asking whether it should be allowed to make and manage phone calls, read your contacts, and send as well as view SMS messages. Then you select your preferred language, and again, a pop-up interrupts you with a local media access permission, before you can start using the app.
Paytm didn’t tell you ‘why’ it wanted those permissions. Even though Paytm likely wants SMS access for OTP auto-verification, you are handing over a key to all of your existing and future texts to the app, while you’ll only use the OTP once, when you first log in. It’s the same story for most apps on Android.
Paytm has no reported history of data misuse. But the consequences of not taking care of app permissions can be quite serious. Over a month ago, it was found that an app that streamed devotional songs was covertly harvesting sensitive user data for building credit ratings.
Truecaller, a few weeks before, accidentally signed up over 100,000 users for its digital payments service by automatically sending a text message. By granting it SMS access, users enabled the Truecaller app to send messages on their behalf.
Another major permissions mishap happened last year when a report brought to light that Facebook has been scraping Android users’ phones for collecting call history and SMS data. It was an optional feature for “improving the friend recommendation algorithms”.
Facebook pitched the prompt as a harmless feature and failed to explicitly highlight it will be storing all that information permanently on its servers.
Several popular apps on Android demand an exorbitant amount of permissions at boot. Reliance Jio’s MyJio is one such app and asks a staggering six permissions including access to call logs.
Since none of the permissions are technically required, these designs are also against what Google hoped to achieve by bringing dynamic permissions to Android four years ago. On Android versions before 6.0, users were forced to accept all the permissions before the app was even installed. Google put an end to this by adding runtime requests that allowed developers to ask for permissions only when it was essential for a feature. But four years later, apps are still running wild.
Google is partly at fault here as well. Android still has a range of fundamental shortcomings that enable app developers to easily exploit users’ security. For instance, if a developer wants an app to automatically verify one-time passcodes as soon as the message arrives, they have no option other than to grant it access to your SMSes.
In contrast, iOS doesn’t have a third-party SMS permission at all. Instead, for OTP auto-verification, iOS itself stays on the lookout for OTP messages, copies the code whenever it detects one, and adds an option in the virtual keyboard.
“Many apps request many permissions, many of which are required for ad purposes only.”
Android apps are occasionally packaged with irrelevant permissions too. Paytm features a Body Sensors permission. HDFC Bank’s app has a microphone permission. However both Paytm and HDFC Bank declined to comment about these permissions.
“In the case of activity recognition permission they are meant for tracking physical activity via built in sensors. This could be misused for third party to most likely deliver targeted ads. Free apps often comes with a price which is losing a little bit of privacy here and there”, Lukas Stefanko, Malware and Security Researcher at ESET.
In a few instances, however, permissions that may seem unrelated do exist for a reason. Ixigo Trains, an app for booking as well as tracking trains in India, comes with a Physical Activity permission. Ixigo says “it was introduced as a part of Ixigo’s live running status feature which ensures that travellers know exactly where their train has reached in real-time. The ‘Physical Activity Module’ through the user’s handset helps figure out if the train is stationary or moving.”
So why do apps request so many permissions even when they clearly don’t need them?
Many of the times when apps are asking for permissions that don’t appear to be related to the features they’re providing, it’s because the permission is actually needed for advertising. If an app doesn’t have any location-based features, it might still end up including the GPS permission solely because it wants to show ads that are specifically relevant to you and where you are.
One of the more popular advertising companies, One by AOL, recommends including a myriad of permissions such as microphone and Bluetooth access in its starter documentation.
With millions of services tussling for your attention, a developer also needs to ensure it’s doing everything to keep you from leaving. That’s where engagement trackers come in.
When you launch Hotstar, it immediately initializes a Facebook tracker, an ad service called Moatads (which has been categorized as malware), a marketing analytics platform Appsflyer, an app engagement platform owned by CleverTap, and more.
“This is the case with many types of aggressive adware that we discover. Many of them have more than five ad SDKs integrated in their code, where each SDK has its own needs in terms of permissions. For this purpose, many apps request many permissions, many of which are required for ad purposes only.” stated Nikolaos Chrysaidos, Head of Mobile Threat Intelligence and Security at Avast.
Adding to the complex nature of the problem, a study revealed that if two unrelated apps come embedded with the same analytics SDK, they both can feed off of each other’s permissions. If app A has the location permission and B doesn’t, and both use the same SDK, there’s a chance B can still go ahead and collect your GPS data, because the common SDK is dumping the data in a shared storage space on your phone.
Most of these loopholes are expected to be resolved on Android’s next major release, Q. But if history is any indication, the majority of Android phones will never receive that update. A measly 10% of Android users today are on the 9.0 build, an update Google rolled out a year ago. About a quarter of Android users use a version below 6.0 and don’t have access to dynamic permissions.
“The open nature of Android, and the large number of users still using really old versions of Android makes this an impossible problem to solve,” commented Abhay Rana, a software developer at Razorpay.