Ever wondered what are App Permissions in Android 6.0 and above? Its simple. When an App needs to interact with data on your phone that it does not own for a predefined functionality, it prompts the User seeking permission for it to access the same.
So Users think twice before tapping the “Allow” button on your Android Screen while using a 3rd party app!
Be extra careful while giving the permissions for Apps seeking for the following areas on your phone:
Lets try understanding each and every permission group mentioned above:
This permission provides and app to use the GPS (Global Positioning System Chip) on your phone which can help the app by letting it know your position in GPS Coordinates.
Generally this feature is used by an app to make it deliver results which are location perfect, Example: “Hire a Cab” app. It shall require your exact location on map so that the cab can reach you and pick you up.
So whats so bad in this? Lets consider a scenario where a MALICIOUS APP has been given a Location Permission. That means that the app can detect your exact location at any given point whenever required and even send that details to a hacker sitting somewhere out there in the wild and watching your movements. I think now you have an idea how the Hero in Spy Movies keeps a track of his assets 🙂
This permissions allows an app to place a call. Every app can launch the default dialer and even fill in the number, but unless this permission is granted you have to press the call button.
As well when an app is granted this permission, it can even read your current phone status i.e. if you are on an ongoing call. For example, “TrueCaller” does have a feature to tell others if you are on a call. The setting can be turned off if you want to keep that info private but by default,”TrueCaller” knows if you are idle or busy on another call
This permission allows an app to read/ write to your contacts. Remember those crowdsourcing apps which provided the identity of unknown numbers? It did use this feature on the phones to upload the contacts from individual phones to build their database.
How sure are y0u to provide this permission to any app thats installed on your phone?
Please note that Android does not give us the visibility to know which contact was accessed by the app that was granted this access.
So users, be choosy!
An app with this permission, can READ ALL your SMS messages. One of the most known use cases is autofill One Time Passwords(OTP) for shopping/ banking apps.
Although this is known to be one of the features designed for user convenience, lets give it a thought once. Do we get to know which app is reading which SMS, and is the app reading only the SMS intended for it? Not sure because Android does not give us the ability of auditing that activity of an app.
Misuses: In our experience, we have seen apps use this feature for competitive intelligence. For example there are 2 apps who are direct competitors of each other and lets say there is a user who uses both of them. When the user uses one of these 2 apps and of there is a related SMS like a delivery notification, the second app which also has SMS permission, can peep into this one and hence after a period of time, the second app can strategise their next marketing move! Interesting isn’t it?
Think about this once again!
An app with this permission gets to use the cameras present on the phone. Straight forward isn’t it? Not really! Did you think of background apps? What if there is a malicious app that runs in background and starts accessing the camera to take pictures in stealth?
Let me explain this in a little more detail. The camera output that we see on our screen when the camera app is launched is the last step in the process called as “FEEDBACK”. The first thing that happens is that camera starts grabbing images/ video, then processes it and the last one is to display it on our screen. Now what if the feedback is not provided or the app simply runs in the background, keeps grabbing pictures/ videos and does not show them on the screen? Please go through this post, a little dated one but interesting one. Summarising the post, By shrinking a camera app’s viewfinder to 1px, which made it virtually invisible, Mr. Sidor was able to gain access to a Nexus 5‘s camera without alerting users to the app’s activities—even when the app was running in the background and the phone’s screen was switched off.
An app with this permission can use the mic on the phone. Ideally we grant this permission to all those apps which need to record or listen to the sounds around the phone like the Dialer app, Shazam app(Music Recognising app by sample recording) etc.
Misuses: An app running in the background does always have the ability to start recording the sounds around it? Privacy is a huge myth !!! Remember your google assistant is always listening to you and quickly gets activated when you say the Magic word “Hey Google!”
Good News ! ! ! Android P******
“Android P” New rule-sets will PREVENT idling background apps from accessing the camera. This will ensure that malicious apps running in the background when your screen is off can’t take potentially compromising pictures of you or your loved ones for blackmail.
The rule change targets apps’ UIDs (User IDs), the identifiers Android assigns each application at install time. They’re unique to each app, and they don’t change—as long as an app remains installed on your phone or tablet, it’ll retain the same app ID.
In Android P, when the camera service detects that a UID is “idle”—that is to say, when the device is in the idle Doze state and background apps’ access to CPU and network-intensive services is restricted—Android will generate an error and close access to the camera. Subsequent camera requests from the inactive UID will immediately generate an error.