Smartphone APPs: Don’t click ‘yes’ for all permissions

With apps seeking more access to improve their focus on advertising content, users must be careful of the privacy intrusion they are allowing in the process.

Written by Udit Roy | Updated: February 19, 2016 1:39 am
Critically examine permissions that an app asks for. Critically examine permissions that an app asks for. (Illustration by: C R Sasikumar)

While India has more than 300 million mobile internet users, awareness of app-based security and privacy issues are still quite low in the country. People download multiple apps each week providing numerous permissions unwittingly to various companies. According to experts, while such behaviour is understandable, such ignorance poses numerous threats to smartphone users.

“Privacy concerns and awareness of threats from mobile applications is extremely poor in India. Over time, applications have become more and more intrusive,” says Akhilesh Tuteja, partner and head of IT advisory, KPMG.

Initially, the resources that the apps required were half of the amount they need at present. Over the last year, apps have become a lot more immersive and companies want more access so as to provide relevant content, which also translates to focussed advertising.

This is not a surprise as the smartphone market is growing at a rapid pace — urban areas registered a y-o-y growth of 71 per cent in December 2015 while the user-base in rural zones has gone up by 93 per cent from December 2014, according to an Internet and Mobile Association of India (IAMAI) report.

Share This Article
Related Article

How do we know how much access apps have? “Specifics are difficult to determine. In theory, an app can acquire tremendous amount of details. In practice, numerous permissions can go unused. Because of the way in which Android works, all potential permissions must be approved at the time of installation rather than when a feature requiring the permission is first used (as it is with iOS),” says Sean Sullivan, security advisor, F-Secure Labs.

The latest version of Android includes options to remove/disable permissions from apps. So for example, after installing but before running an app, users could disable permissions they aren’t comfortable with providing. While you would no longer be able to do a “music search” (like Shazam) via the app, but then you’ll also know that the app cannot use the permission for other functions.

The problems that may arise for users due to lack of awareness are multi-fold:

Privacy: A shopping app might need access to your camera and the logical answer for such a permission would be based on the fact that lots of these apps allow you to search for items through pictures or via scanning barcodes. However, many ask for permissions which have no relevance to its function.

Simple apps that can be downloaded to allow you to use your camera flash as a torchlight or your phone as a mirror are supposed to have basic functions — like lighting up the LED of phone’s flash or turning on your front camera. There’s no reason for such apps to have access to your messages or contacts.

Data/Battery consumption: Multiple applications run in the background eating your internet data continuously. Shopping apps keep pushing their offers which include an image, a status bar and messages. These ‘push notifications’ utilise a lot of data and battery for updates and downloads.

Vulnerabilities: Many applications suffer from vulnerabilities which users may not be aware of. Rogue apps can exploit this vulnerability.

If you have an app that uses your contacts, the app in itself may not be malicious. However, if the app itself suffers from vulnerabilities, rogue apps can exploit this to access your data from your phone or even steal content from authentic apps. Some can also use your phone to place international calls through a third party which you could get billed for.

So how much of our personal information can a company access from specific permissions?

“As much as the user offers to give,” says Devendra Parulekar, partner and national leader, infosecurity, advisory services, EY. “Most users never bother to read the privacy policy of the app owner or service provider, and inevitably sign away most of their rights.”

Some analysts say that is where the state needs to step in, so that the rights obtained can never exceed the protection offered by law.

At present, The IT Act has a specific provision under Section 43(a) that defines sensitive personal information and provides some degree of protection to us. It places some responsibilities on service providers/ app owners to disclose, obtain consent, use and process appropriately and dispose securely all such sensitive personal information.

So what can users do to enhance their security? “Be mindful,” says Sullivan.

“One shouldn’t overreact, but it is important to really review the permissions and compare them to the potential features of the app. If they don’t appear to be in the favour of the users’ privacy — they should consider using the mobile web version of the service.”

“I don’t often use Facebook — but when I do — it’s via the web, not the Facebook app. In fact, I’ve blocked access to Facebook related services on my iOS devices. I’d do the same on Android,” he adds.

This is because when using the web version of a service, you can route through a VPN (virtual private network ) to limit location information. When using an app, the phone’s location services can provide details, even though a VPN is being used.

The main point is to be aware at all times, consult if in doubt, and avoid unknown or suspect apps.

Things you should do

* Always take a look at the policy.

* Do not install unknown or suspect apps

* Do not allow minors to install apps without adult supervision

* There are many settings that can be activated to protect privacy of a person — browsing in incognito mode, or not providing your location, or explicitly disallowing access to contact list, etc. However, at times the usage of the app is dependent on providing such access – taxi apps become meaningless without access to location.

* Critically examine permissions that an app asks for. If you come across permissions that sound strange – it is asking for a permission that has no relevance to its function – avoid it, especially its asking for your contacts, phone, camera, location.

* Before you download an app, it’s a good idea to look at its rating. If it’s below 2 -2.5 on the scale of 5, then either it’s not very good functionally or has other issues. Also go through the reviews.