Mobile App Permissions: Are Users Really the Problem?

While there have been a lot of news-worthy events in the past couple of years involving corporate breaches, one thing has not changed. Users are still considered the greatest obstacle to information security. Whether it is phishing, opening infected attachments, or “just being stupid and lazy”.

Our focus in this article will be on the “stupid and lazy” part of this equation. We will take a quick look at the way users tackle mobile app permissions in the android market place otherwise known as Google Play. A cursory look at some apps on Google Play and the permissions required by these apps, and the ratings given by users, even to apps with seemingly over-reaching or meaningless permissions, explains a lot about why security will continue to be a problem for a very long time.

As mentioned in an earlier article, it is amazing how much people are willing to sacrifice in the name of using an app, or sheer laziness and the inability to do a little research and due diligence before using an app. For example, take apps that perform exactly the same function, like Gaming, Task List, Timer, or even a World Clock and compare the permission requested. The permission requested by one app will border on the ridiculous for its purpose while the other seems appropriate. In these days of ad-supported apps, it is not unusual for an app to request internet access or location service if applicable.

But does a clock really need access to your phone calls and the remote number connected by a call? Does it need the permission to:

“call phone numbers without your intervention”,
“read data about your contacts stored on your tablet, including the frequency with which you’ve called, emailed, or communicated in other ways with specific individuals”,
“read from the system’s various log files…to discover general information about what you are doing with the [device]”, “communicate with Near Field Communication (NFC) tags, cards, and readers”?

Not if another app that can perform the exact same function “Requires no special permission to run”. The main function here is to “tell you the accurate time about any timezone of the world”, period. Does this app really need all that permission to tell the user that the time is 3:00 P.M in Chicago, 2:00 P.M. in New York and 9:00 P.M. in Lagos, Nigeria?

Yet, a quick look at the user reviews show thousands of people who happily install these apps and give glowing reviews of how they “can’t do without it”. Yet they wonder why their phones or tablets are “suddenly” freezing, making phone calls at night and  can “unlock my device without me doing anything”.

Certain apps by the function they perform give us an idea of the type of permissions or access to personal data that may be needed. A contact manager, phone dialer or calendar can justify requiring access to pretty much everything. But does a Flashlight app with a declared function to “use your device’s camera LED / flash / screen as a torch” need permission to modify system’s setting data, change current configuration, such as locale, take pictures, access the contact list, send SMS and make phone calls?

It is very important to look at the requested app permissions relative to what its function is. So before installing an app, do a little research on it. Google Play displays the permission required for an app before installation.

Ultimately, as we’ve noted in the mentioned previous article, Google has to take on more responsibility in this arena. As a developer opined, “The reason for the permissions is actually due to the underlying development framework. [Apps are] developed using Corona SDK which was made by Ansca Mobile and is now known as Corona Labs. These permissions are included by default when the app is compiled and there is currently no easy way to remove them!”

According to one developer, “Many developers in the Corona community have requested that these be optional and only included if the app actually uses the internet for something. Corona Labs has indicated they are looking at this issue (granted they have been looking at it for some time now).”

But a bigger issue is that this could be a code problem. Indeed, the argument, according to Corona Labs, is that “We’re not ready to strip out the default permission from Android apps yet. We can’t just rip them out, because a lot of code and 3rd party dependencies such as InMobi, inneractive, OpenFeint, Flurry, etc. Ripping them out would cause crashes and generate a lot issues – but we haven’t forgotten about this and do hope we can come to a solution.”

For further discussions on this issue, see here and here.

So a lot of what users get in terms of unreasonable request for app permissions could actually be seen as “standards” set by Google and its partners. While many developer are adamant that these app permissions “don’t do anything”, it is a great risk for users to take.

It is not just Google. On Amazon AppStore, apps have permission issues as well. According to one developer, “People don’t even bother downloading, they just rate with 1 star”. Here is an example.

An interesting thing is that many developers are aware of this problem and are doing their best to help in alleviating the concerns users have by going the extra mile and doing the work. A few have already gone that route.

The best advise for users of apps, whether it is from Apple, Amazon, Google or others is to do their due diligence and know what they are getting into before installing an app, no matter how shiny and cool it looks. For example, at the Google Play store, users can follow these steps to check the app permissions requested by a particular app before installing:

  • Open the app you want to install and read the “Overview” to get an idea of what the app really does, then
  • Click on the “Permissions” tab to see the permissions required for the app to run.
  • Read the reviews of other users, but focus on the “negative” reviews to see why the user did not like the app.


If you are not comfortable with the required permsissions, search the store for similar apps until you find something you are comfortable with. For example, take the Moon+ Reader. The overview describes it as a “Book reader with powerful controls & full functions” which allows you to “Read thousands of ebooks for free, supports online ebook libraries”. The permissions required are “Network Communication” and “Storage”. This is a great example of where the permission required is in line with the function of the app – internet access for “online ebook libraries” and storage for the books.

Within the book reader category, you will find apps that do not require any permissions like the “Nomad Reader”, the “50000+ Free eBooks Reader” which only need access to storage, and the extreme like the “50000 Free Ebooks & Reader” that wants access to phone features, location services and the ability for the app “to read data about your contacts stored on your tablet, including the frequency with which you’ve called, emailed, or communicated in other ways with specific individuals”  – totally unnecessary for a book reader, in my opinion. Note the similarities in the names of the last two examples.

For those who are bold enough to experiment, there are some apps for managing permissions at the Google Play store. One is called Android PErmission Filter System (APEFS), developed at the Siegen University in Germany.

APEFS  is an “An Infrastructure for Permission-based filtering of Android Apps” and “is able to filter apps that are interesting for the user by search in charts and searches for suspicious patterns and so allows controlled installation of apps. To do so the user can use filter options, like Internet access or Paid services, offered by APEFS that fit to his view of security issues. APEFS then discards apps that [are] questionable from the view of the user”.

It even works on already installed apps so you can review the permissions granted to those apps and remove them if needed.

Another one is called App Permission Watcher, described as an app which “helps you to monitor the permissions used by installed non-system Apps. It warns you about suspicious permission combinations that can be used to compromise privacy or to cause unwanted costs”. It was developed by Eric Struse as part of a thesis at Ruhr University Bochum and University of Duisburg-Essen (Germany).

There is also Permission Friendly Apps by Androidsoft. This app allows you to review the permissions granted to apps that are already installed and provides the opportunity of uninstalling suspicious apps.

As always, use with caution and at your own risk.

Please note that using filters like “SafeSearch: Strict” has nothing to do with permissions – read more about this here.