Link to home
Start Free TrialLog in
Avatar of oaktrees
oaktrees

asked on

Are App Permissions an Identity Theft Risk? Or, Worse? Or, Not at All?

When I read the number of permissions some Android apps need, I fee stunned.  How do you experts react when you see this much authority being asked for?  Looking at the list below, for a VERY popular app, seems like, if the developed wanted to, from his keyboard he could open up my phone and very nearly know everything that's on it.  Am I right?  What's the risk here?  And, how do you manage it?  

I believe in the newer Android I can manually disable each one of these permissions.  I'm guessing that will affect the app performance in the long run.  

But, from the time the app is installed, if it takes me 5 to 10 minutes to drill down to each permission and turn it off, by that time couldn't a bad actor have pretty much imaged my phone with all the permissions seen here?

This app has access to:
Device & app history
retrieve running apps
read sensitive log data
Phone
directly call phone numbers
Photos/Media/Files
read the contents of your USB storage
modify or delete the contents of your USB storage
Storage
read the contents of your USB storage
modify or delete the contents of your USB storage
Camera
take pictures and videos
Wi-Fi connection information
view Wi-Fi connections
Other
modify secure system settings
pair with Bluetooth devices
access Bluetooth settings
change network connectivity
connect and disconnect from Wi-Fi
full network access
close other apps
change your audio settings
control Near Field Communication
run at startup
reorder running apps
control vibration
prevent device from sleeping
modify system settings
Avatar of serialband
serialband
Flag of Ukraine image

Unfortunately, Apps need to be vetted.  Apps can be quite insecurely set up and there have been cases where apps are malware.  Basically, you should not download apps from untrusted devs.
Avatar of btan
btan

Indeed only download apps from official app store.

Of course one still has to be vigilant on permission granted to apps. It can be subjective to each and differs across everyone.

Bu I do see certain permissions are more likely to put your security at risk than others.

These permissions include:

1. Finding or using accounts – Beware of apps that ask for permission to find and/or use accounts connected to the device.
>>> This permission can be dangerous because it may allow the app to impersonate the individual using these accounts.

2. Permissions related to text messages – Beware of an app that asks for permission to read, edit or send messages with your device.
>>> These permissions not only put their privacy at risk, but they can also cost you money.

3. Reading or modifying contacts – Beware
of apps with a social component that require access to contact information.
>>> If the access seems unfounded, the app may be malicious. Don’t allow an application to access or modify your contact list unless you trust it completely.

4. Access phone status and identity - Beware of apps that ask for access to contacts, access to the phone’s status and sometimes for identity for the proper functioning of the app.
>>> If it doesn’t seem like a logical request, ask yourself again before allowing an app access to this information. Err on safe side and continue to disallow and monitor again.

5. Access to your location information – Beware of apps that use this permission to pinpoint your exact location at any given time.
>>> This permission may be necessary for some apps, even like the popular Pokémon GO or apps related to looking at driving through local traffic, but it can be dangerous to provide this information to an unknown third-party app.

Always read fine prints and err on safe side.

Be careful about granting any of the permissions typically identified as “risky,” those that are mentioned earlier.

Don’t agree to the app requests unless they’re absolutely necessary for the app’s function and you’re confident that the app is safe. No 100% assurance but you can always monitor the apps usage and see if it is expected of it's normal doing.
Avatar of oaktrees

ASKER

I believe in the newer Android I can manually override each one of these permissions. Am I right?

But, from the time the app is installed, if it takes me 5 to 10 minutes to drill down to each permission and turn it off, by that time couldn't a bad actor have pretty much imaged my phone with all the permissions seen here?
Yes you can override in newer version. App permissions for the Android versions prior to Marshmallow were on an all-or-nothing paradigm.

On newer Android, you can review app permissions by visiting Settings > Apps & notifications > App permissions. Here you can check all apps you have installed, grouped by permission. Go into each category and review each app permission and you can switch on or off.

Yes indeed tedious for tedious checks. This is why there is also apps that can help the verification process. You can check out MyPermissions Privacy Cleaner which shows you whether you’re exposing yourself to privacy and security risks. It scan your apps permissions by reading their settings from your profile.

For info, this apps claims not to collect or store any personal information about you or your browsing history.

https://mypermissions.com/faq/
With the level of permissions described above couldn't a bad actor have pretty much imaged my phone by the time I get the permissions turned off?

Is there any way to set all permissions PERMANENTLY off?  So that, I'd need to turn them ON after the app was installed?

Have you ever chosen not to install a "popular" based on the permissions?

Many thanks!!!

OT
With the level of permissions described above couldn't a bad actor have pretty much imaged my phone by the time I get the permissions turned off?
Imaging the phone is not straightforward and it takes time, so if you lost or misplaced your phone or left it unattended, you are setting yourself with bigger risk with loss of physical control. Also even if someone access your phone, I presume you will screen lock and have set your strong password, 2FA or biometric to deter direct access to use the phone. Also don't root your phone as it just open easier path to gain access to your phone. All that said, if someone can get your phone, access to the apps is trivial.

Is there any way to set all permissions PERMANENTLY off?  So that, I'd need to turn them ON after the app was installed?
I don't see there is a default deny all as the apps may also malfunction if certain permission is given. Google will need the developers to make the permission explicit to the user to be aware of the threat. But what I can find more reassuring is the Google play will check the apps regularly so just make sure they are checked (which is the default state). E.g. Settings -> Google ->Security -> Google Play Protect-> make sure "Scan device for Security threats" and "Improve harmful app detection" are checked.

Have you ever chosen not to install a "popular" based on the permissions?
If I need the apps I will then allow though I be wary on the permission required, otherwise I would not even bother to have it install in the first place.  I will  make sure the apps come from known sources.
ASKER CERTIFIED SOLUTION
Avatar of serialband
serialband
Flag of Ukraine image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you BOTH!  Amazing, detailed EXPERT answers!

:)))))))))))))))))))))))))))))))))))))))