Is Your Flashlight App Spying On You?
Almost every app you install on a mobile device or a social media network asks for permission to access some of your private user data; many also ask to perform actions on your behalf, such as writing to your Facebook timeline or Twitter feed. Sometimes it’s obvious that an app needs the permission it’s requesting in order to work at all. But how can you tell when an app’s request for permission is unreasonable, suspicious, or malicious? |
What Permissions Do Apps Really Need?
A report by security research firm SnoopWall says that the top ten flashlight apps in the Google Play store may all be malicious. Flashlight apps are notorious for requesting permissions that they don't need, in order to snoop around on your phone, and send your personal information to hackers in parts unknown for malicious purposes. SnoopWall recommends removing ALL flashlight apps, and offers a free alternative that won't spy on you.
So what permissions do your apps really need? A caller-ID app needs permission to “read phone state and identity,” for instance. Does that mean it can inform the NSA who you are and what you’re doing? No; it means the app must be able to tell when a phone is in the state of “receiving an incoming call” and read the identity of the caller: the caller-ID info that comes in with a phone call. Blame the cryptic jargon of system-level programmers for consumers’ confusion and fear of apps.
This thread from the Android support forum provides an excellent guide to that operating system’s permission types, what they mean, and the security/privacy implications of granting them. The jargon or other OSes will be similar.
A contacts manager has to have access to your contacts, obviously. A dialer app must be able to make phone calls on your behalf. But if an app wants “root” access or “superuser” privileges, stop and think hard about why it would need such powerful access to the deepest parts of your operating system. Some apps really do, like backup and firmware management apps that are doing system-level chores. But an alarm app or game does not need root access, and if one asks for it you should probably delete that app uninstalled.
You may be surprised to learn how many apps have access to your contacts, social media accounts, and mobile devices. It’s a good idea to review all of the permissions that you have granted (wittingly or not) and revoke those that no longer serve you. Why yes, there’s an app for that!
The "Online Privacy Shield" app from MyPermissions.com scans your desktop Web browser, iOS or Android mobile device and tells you what apps have what permissions. It ties into major online services such as Facebook, Google+, LinkedIn, Instagram, etc., and reads their lists of apps that you have granted permission to interact with those services.
You can confirm or revoke permissions one app at a time. But don't be too alarmed by the results. I noticed that it often flags an app with "Post in your name" privileges, which makes you think it might post on your Facebook or Twitter account without your permission. But clicking on that for more info says the actual underlying permissions are "access the camera device" or "prevent device from sleeping." Similarly, when it flags for "Use your pictures & files" it means that the app can write to and read from your SD storage card. Some apps do need such privileges, and if you consider what the app does, it's usually pretty obvious.
On the other hand, it flagged an app I had called "Backgrounds" (which lets you browse and install pretty background images on your phone) because it allowed reading and writing user's contacts, and reading user's call log. Yikes! I uninstalled that one immediately.
SnoopWall's Privacy App is a similar app that scans all the apps on your device and flags them based on the risk posed by the permissions they are granted. And just like Online Privacy Shield, it flagged some apps as "high risk" that don't seem warranted. "Google Play Services" was flagged as such, but I don't believe it should be. It also lists Chrome, Gmail, Maps, Kindle, Facebook, Skype, Waze, Yelp and Slacker as "medium risk" apps. Perhaps they need a whitelist, to avoid alarming users unnecessarily.
Yes, you should pay attention to the list of permissions that an app is requesting before you hit the “permission granted, install already” button. Carelessness is what hackers count on to gain permissions that enable their malware to send your credit card details to Estonia. But don’t err too far on the side of caution or you won’t have many apps to play with. If you can reasonably relate the requested permissions to functions that the app performs, or it's an app from a well-respected company, then go ahead and grant permissions.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 3 Oct 2014
For Fun: Buy Bob a Snickers. |
Prev Article: Will Ello Be a Facebook Killer? |
The Top Twenty |
Next Article: HOWTO: Get Your Free Credit Report Online |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Is Your Flashlight App Spying On You? (Posted: 3 Oct 2014)
Source: https://askbobrankin.com/is_your_flashlight_app_spying_on_you.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Is Your Flashlight App Spying On You?"
Posted by:
Jennie Hale
03 Oct 2014
Thank you for this information. I have followed your advice, and deleted my flashlight app. I was shocked to see all of the access something as seemingly benign as a flashlight had access to on my phone. No longer!
Jennie
Posted by:
Joe Farkas
03 Oct 2014
Totally agree, most Android and some IOS applications require unwarranted permissions like the flashlight ones you mentioned. By the way, there is a flashlight application from Motorola for Android which also works on non-Motorola devices, it does not appear to need any permissions. Similarly, there are Android applications like Data On-Off and others by the same developer which clearly state that they don't require any permissions. I think Bob that you are doing an excellent job of exposing the culprits, keep up the good work,
Posted by:
Joe Farkas
03 Oct 2014
Totally agree, most Android and some IOS applications require unwarranted permissions like the flashlight ones you mentioned. By the way, there is a flashlight application from Motorola for Android which also works on non-Motorola devices, it does not appear to need any permissions. Similarly, there are Android applications like Data On-Off and others by the same developer which clearly state that they don't require any permissions. I think Bob that you are doing an excellent job of exposing the culprits, keep up the good work,
Posted by:
Elizabeth Landry
03 Oct 2014
Stop stressing and realize that your bank is responsible for money taken out of your account. Peace, E
Posted by:
Dianne
03 Oct 2014
I thought flashlight app must be some fancy code word for something someone really needed. No, not so. I don't have a smartphone so this won't come up for me, but a flashlight app seems one of those things that I wouldn't need or want even if I did. But the update is interesting. We just found out locally that software ("Computer Cop") being handed out to parents to help protect their children actually makes the children more vulnerable to the very people they are supposed to protect them from. I get less and less encouraged by technological "progress."
Posted by:
Mark Hoffman
03 Oct 2014
Even if an app obviously needs a high level permission to do what it is supposed to, I would want to know whether the entity that wrote it can be trusted. Is there a way to do that?
Posted by:
Sheri
04 Oct 2014
I agree that most apps require far too many permissions. And I was ready to install the flashlight app recommended by SnoopWall. Trouble is I cannot uninstall ANY apps that came pre-loaded on my HTC Desire HD and that has always annoyed me, as there must be at least 20 that I never use and never would use! So as the flashlight app was pre-loaded, I cannot uninstall it! So I'm not sure installing the Privacy Flashlight and using that instead of the pre-loaded one would do much good?
Posted by:
Judy Redman
04 Oct 2014
I just checked my flashlight app - which comes installed on my HTC phone, and all it accesses is the system tools so that it can prevent the phone from sleeping. Dianne, when our power went out recently, my phone flashlight made it very easy for me to find the real flashlight, candles and battery lanterns that we needed for several hours. I also found it useful when my colleague and I took a wrong turn whilst walking across a strange campus after dark on our way home from a conference session. We were able to take a short cut across a field because we could see the ground by its light.
Posted by:
olamoree
04 Oct 2014
@Elizabeth just to mention that the Bank is the CUSTODIAN of your funds, whereas a CREDIT operation is THEIR money being advanced to you. The Custodian is often difficult to convince that it was their fault if the matter is WHO removed the money and under what conditions.... and not ALL countries are required to replace Custodian Funds. Beware... and of course, peace.
Posted by:
Julian
04 Oct 2014
I use the widget called ASSISTIVE LIGHT supplied with my android Samsung S3 phone. Is this a threat too?
EDITOR'S NOTE: If the app came with your phone, it should be fine.
Posted by:
RC
06 Oct 2014
Bob, I'm curious about how these permissions get assigned. If the app is malicious, why couldn't it do whatever it wants without asking for permissions? Or, does it have to request these access rights from the underlying operating system? If so, it would seem the OS must act as a trusted broker between the app and the user, only allowing the app to access what the user has permitted. One would hope this mechanism is without flaw, else it could be compromised and the app could gain access without the user's permission or knowledge.
EDITOR'S NOTE: Yes, the permissions requested by the app must be approved by the user at install time.
Posted by:
nana
19 Nov 2014
I often see permissions requested during an install that make absolutely no sense to me. And during an update the permissions can change. It's more work but I manually install updates (where I can) and that way can watch for new or expanded permissions. I'd really hate to see all the information the "powers to be " have about me. On the brighter side when my mind starts to go I would like to be able to call on all that info to refresh my memory. lol
Posted by:
Frank
09 May 2016
Bob. Installed and ran the Snoop Wall Privacy App and ALL apps on my desktop showed "at risk." It seems none protected at the entrance ports. Suggested I install Snoop Wall's Privacy Shield app for total protection. What is you thought on this results and software? Could not see if it was free or not. Thanks