Is Your Flashlight App Spying On You?
Almost every app you install on a mobile device or a social media network asks for permission to access some of your private user data; many also ask to perform actions on your behalf, such as writing to your Facebook timeline or Twitter feed. Sometimes it’s obvious that an app needs the permission it’s requesting in order to work at all. But how can you tell when an app’s request for permission is unreasonable, suspicious, or malicious?
What Permissions Do Apps Really Need?
A report by security research firm SnoopWall says that the top ten flashlight apps in the Google Play store may all be malicious. Flashlight apps are notorious for requesting permissions that they don't need, in order to snoop around on your phone, and send your personal information to hackers in parts unknown for malicious purposes. SnoopWall recommends removing ALL flashlight apps, and offers a free alternative that won't spy on you.
So what permissions do your apps really need? A caller-ID app needs permission to “read phone state and identity,” for instance. Does that mean it can inform the NSA who you are and what you’re doing? No; it means the app must be able to tell when a phone is in the state of “receiving an incoming call” and read the identity of the caller: the caller-ID info that comes in with a phone call. Blame the cryptic jargon of system-level programmers for consumers’ confusion and fear of apps.
This thread from the Android support forum provides an excellent guide to that operating system’s permission types, what they mean, and the security/privacy implications of granting them. The jargon or other OSes will be similar.
A contacts manager has to have access to your contacts, obviously. A dialer app must be able to make phone calls on your behalf. But if an app wants “root” access or “superuser” privileges, stop and think hard about why it would need such powerful access to the deepest parts of your operating system. Some apps really do, like backup and firmware management apps that are doing system-level chores. But an alarm app or game does not need root access, and if one asks for it you should probably delete that app uninstalled.
You may be surprised to learn how many apps have access to your contacts, social media accounts, and mobile devices. It’s a good idea to review all of the permissions that you have granted (wittingly or not) and revoke those that no longer serve you. Why yes, there’s an app for that!
The "Online Privacy Shield" app from MyPermissions.com scans your desktop Web browser, iOS or Android mobile device and tells you what apps have what permissions. It ties into major online services such as Facebook, Google+, LinkedIn, Instagram, etc., and reads their lists of apps that you have granted permission to interact with those services.
You can confirm or revoke permissions one app at a time. But don't be too alarmed by the results. I noticed that it often flags an app with "Post in your name" privileges, which makes you think it might post on your Facebook or Twitter account without your permission. But clicking on that for more info says the actual underlying permissions are "access the camera device" or "prevent device from sleeping." Similarly, when it flags for "Use your pictures & files" it means that the app can write to and read from your SD storage card. Some apps do need such privileges, and if you consider what the app does, it's usually pretty obvious.
On the other hand, it flagged an app I had called "Backgrounds" (which lets you browse and install pretty background images on your phone) because it allowed reading and writing user's contacts, and reading user's call log. Yikes! I uninstalled that one immediately.
SnoopWall's Privacy App is a similar app that scans all the apps on your device and flags them based on the risk posed by the permissions they are granted. And just like Online Privacy Shield, it flagged some apps as "high risk" that don't seem warranted. "Google Play Services" was flagged as such, but I don't believe it should be. It also lists Chrome, Gmail, Maps, Kindle, Facebook, Skype, Waze, Yelp and Slacker as "medium risk" apps. Perhaps they need a whitelist, to avoid alarming users unnecessarily.
Yes, you should pay attention to the list of permissions that an app is requesting before you hit the “permission granted, install already” button. Carelessness is what hackers count on to gain permissions that enable their malware to send your credit card details to Estonia. But don’t err too far on the side of caution or you won’t have many apps to play with. If you can reasonably relate the requested permissions to functions that the app performs, or it's an app from a well-respected company, then go ahead and grant permissions.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 3 Oct 2014
|For Fun: Buy Bob a Snickers.|
Will Ello Be a Facebook Killer?
The Top Twenty
HOWTO: Get Your Free Credit Report Online
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is Your Flashlight App Spying On You? (Posted: 3 Oct 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved