New report slams Play Store permission abuse
Do you know what data your phone is collecting about you right now? Do you know where it’s being shared, with who and how often? It’s almost certain that you do not. While recent headlines have focused on Play Store malware and quality, staggering levels of permission abuse continue to plague Android users.
This was perfectly illustrated in a report from Cyber News this week, which set out to understand “how many dangerous permissions are too many,” reporting that the 50 popular apps it checked “see no limits,” sharing the raw data to back that up.
The researchers explain that they “selected 50 of the most popular apps on the Google Play Store and analyzed their Manifest files to determine what dangerous permissions the apps are requesting… Every Android app has a Manifest, which is a rule book telling the device what the app can access. In total, there may be 41 ‘dangerous’ permissions that could affect user privacy or core phone functions.”
Cyber News says that it defined “dangerous” permissions as those that “give the app additional access to restricted data or actions that substantially affect the system and sensitive user data. Not all of these are commonly used, and some overlap. For example, if an app is tracking ‘fine location,’ it might not need ‘coarse location’ permission… Best practices require developers to request a minimum amount—only the permissions that the app needs to complete a particular action.”
And these really are the most “popular” apps. The six apps highlighted in red include three from Meta (WhatsApp, WhatsApp Business and Facebook), Google’s own Messages app, MyJio and Truecaller. I have approached all four companies for any comments on the report and the rationale behind these permission requests.
How many of these apps are installed on your phone?
MyJio came top of the list, with its “permission requests checking almost all the boxes: location, activity recognition, radios, camera, microphone, calendar and file access, and others. In total, the app asks for 29 permissions.”
WhatsApp, which markets itself on its privacy and security, was in a surprising second place. This will raise the specter of metadata again, which is the information about how content is shared, with who and when, rather than the content itself, which is protected by end-to-end encryption. WhatsApp actually seeks more “dangerous” permissions than Instagram, Telegram, Snapchat, X and even TikTok.
After WhatsApp, “Google Messages and WhatsApp Business are next, requesting 23 dangerous permissions each, followed by Facebook (22) and Instagram (19).”
So, does this mean you should uninstall these 50 apps? No—that’s clearly unrealistic. But at least be aware of the permissions requested, and ensure that you have used the privacy settings on your phone to limit access to media or your location where you can to a level that you deem acceptable. Don’t stick to the defaults.
Android—just as with iPhone—has improved significantly in recent years, giving users much more control over the data they allow apps to access and share—for which you can read sell or monetize. Google provides instructions here.
This new Cyber News report also highlights the reality underlying claims of security and privacy. When an app operates freely on our phones, it can delve into our private and sensitive data without it being obvious to us. We all need to be more aware.
None of this is new, of course. Take a look at Trend Micro’s report from 2013 into the “12 Most Abused Android App Permissions.” Location was top of the list back then, just as it is now. Yet now users can do much more to protect themselves.
The interesting challenge for Google is that permission abuse features within one of its four core pillars for access to Play Store. “Android is secure by default,” it says, “and private by design. And Google Play designs policies and guidelines to create a safe ecosystem. Design for privacy by focusing on minimization. Minimize permission requests, minimize location access, and minimize data visibility across apps.”
Cyber News News found that 33 of the 50 apps requested “access to the camera and recording audio,” while “more than half (26) of the apps would like to track precise (fine) location, meaning they can pinpoint user location within a few meters (10 feet). The same number of apps want to read contacts.”
Other abused “dangerous” permissions included Bluetooth connect access (22 apps), and “asking to read your phone state,” (also 22 apps). The report includes a tool to look up any of the 50 apps and see the permissions requested. This should help you focus a privacy settings cull on your phone.
Google is now focusing on cleaning up Play Store and in using AI to identify potentially malicious apps before they are removed from its platform. Permissions abuse is one of the flags that will be taken into account. Quite how to draw the line when so many of the most popular apps indulge so freely is unclear.
Instructing developers to “build apps to be private,” Google says that “as the Android platform evolves, it continues to introduce new privacy-preserving capabilities. Because users are becoming more aware of the information that apps can collect, it’s important to take proactive steps in your apps to maintain user trust.”
Android guidelines for minimizing permissions
Google includes a whole section on minimizing permissions (above). Quite how that squares with the findings in the Cyber News report will be interesting to explore. Clearly something needs to give. Google is on a mission to catch iPhone with a raft of new security and privacy innovations. Plenty more work still to be done, it seems.