How Are Apps Using Your Permissions?
There are hundreds of thousands of applications in the Google Play store and each has a unique list of permissions that they want you (as a user) to agree to before it can be installed. There are hundreds of blog posts and news articles any time a major application changes its application permissions. For example, in August 2014, when Facebook launched its Messenger app, the number of articles concerning Facebook’s app permissions jumped 5x! Here is the Google news summary over time:
There is a growing concern amongst consumers about the permissions an application requests. To reduce this concern, it is imperative that as a developer, you only add permissions when they are crucial to the function of your application. Further, some developers have taken to the application description in the Play store to describe what they do with each permission, and why they are essential to the application functioning correctly.
In testing with the Application Resource Optimizer, I have seen an application report my password and location in the background, using HTTP – meaning the data was sent in cleartext. This and other similar misuse of my personal information has certainly made me more hesitant to install apps. A new study shows that I am not alone. In 2014, consumers were asked: How important is it to you to know that an app is collecting and sharing your personal information? 63% felt this was important, a 14% jump year over year.
If you have an Android device running Lollipop, you can see which applications are using your location permission. If you connect your device to your computer and type:
adb shell dumpsys appops
You’ll get a list of all of the applications that have operations on your device. It shows for each package the last time it accessed your location. If you find an application is getting your location often – you can decide whether it is worth it to keep the application. For example, here is an app on my phone that I have not used for 5 days – it has not scanned the Wi-Fi or used a WAKELOCK for 5 days. Yet, it requested my fine location just 6 hours ago. I have been tracking this app for a day or so, and have seen several requests for my location in that time. I plan on uninstalling since I’m concerned about what this application might be doing with my data. I may be a more savvy user than most, but customers are catching on, and its better to be ahead of the backlash and mitigate for your app.
Uid u0a101: Package <name obfuscated>: COARSE_LOCATION: mode=0; duration=0 FINE_LOCATION: mode=0; time=+5h57m27s896ms ago; duration=0 WIFI_SCAN: mode=0; time=+6d4h33m43s810ms ago; duration=0 WAKE_LOCK: mode=0; time=+5d17h2m59s592ms ago; duration=+15s67ms MONITOR_LOCATION: mode=0; time=+5d21h36m15s373ms ago; duration=+3ms
In conclusion, consumers are becoming hesitant to share their personal data with you. If you must use a permission, explain why you need each permission and how you will use the access granted. Minimizing the permission requests and being upfront about your usage makes me feel more comfortable with installing your application – so I assume it will make other consumers feel the same way.
If you’d like to learn more about permission usage and other security issues in Android, check out my book on High Performance Android Apps. The chapter on security will be released in the next few days.