Did you know that the average smartphone owner uses 46 apps a month? Most apps will ask you for information about yourself and your device. It might also automatically send your location information or connect to other apps. They may inquire about your name, email address, or physical address.

Some apps will even ask for access to the camera or speaker on the smartphone. Read on to learn how to protect your privacy from excessive app permissions.

You might be shocked by how much personal data some apps can access.

How often do you grant apps access to your name? Do you put your email in to sign up for offers?

Did you know that 30 percent of Android and 15 percent of iOS apps request access to your location?

We all know that companies can sell your data or use it for advertising, but there’s a dark side, too. If that information falls into the wrong hands, attackers can launch a SIM-swapping attack to take over your identity.

Personally Identifiable Information

We analyzed apps and checked how much personally identifiable information (PII) they demand from users.

• Email Addresses: 40% of iOS and 43% of Android apps.
• Usernames: 33% of iOS and 30% of Android apps.
• Phone Numbers: 12% of iOS and 9% of Android apps.
• Home Address: 5% of iOS and 8% of Android apps.

Your mobile privacy is at risk when you share this information with an app!

Social Media

Many apps interface with social media, allowing users to check in with their social media accounts and have the app post straight to the social media site.

For the user, this means they won’t have to remember passwords for each app, they’ll be willing to welcome friends to play mobile games with them, and they’ll be able to post app information on their timeline.

However, because of this symbiotic relationship, the app can acquire user data from the social media account while the social media service can collect data from the app. Many apps access your critical information, which threatens your mobile privacy.

Which permissions are risky?

Apps need authorization to access numerous capabilities on your mobile device. For example, you’ll need to grant permission to use your camera if you want to snap a picture with Instagram.

Your confidentiality is at stake. An app can request many permissions, but not all are the same.

We took a closer look at what we call “risky permissions,” which we defined as permissions that:

• Grant access to data or resources
• Give access to the user’s personal information
• Affect the user’s stored data or the operation of other apps.

How often are these permissions used?

Access to the user’s location, contacts, SMS messages, phone logs, camera, or calendar are examples of hazardous permissions. These threaten your mobile privacy and provide access to your personal information through mobile apps.

We analyzed apps for these risky permissions. What did we discover?

• Camera: 46% of Android and 25% of iOS apps.
• Location Tracking: 45% of Android and 25% of iOS apps.
• Record Audio: 25% of Android and 9% percent of iOS apps.
• View SMS Messages: 15% of Android apps. iOS data is not available.
• Access Call Logs: 10% of Android apps. iOS data is not available.

Surprisingly, several Android apps sought more dangerous permissions than their iOS counterparts in cases when we analyzed both the Android and iOS versions of apps.

Seven Android apps requested SMS message access, but their iOS counterparts did not. One Android software asked for access to call logs, but its iOS counterpart did not. While neither permission is available in iOS, it begs the question of why these are in the Android version but not in the iOS version.

This study raises troubling questions about the permissions apps request.

Are All Permissions Required?

Is it vital for these apps to have all of these permissions? Sometimes. Here’s an example of an app that did need all of these permissions.

Case Study: Smart LED App.

We examined a smart LED home automation app that allows the user to customize the appearance of their LEDs. It asked for permission to view calls and texts.

At first glance, this seemed excessive, but we found the reason once we investigated the app.

When the user receives incoming calls or texts, the app allows the user to flash the lights in a custom pattern or color. It needs access to calls and texts to do so.

The Upshot

Only grant permissions if your use case requires it and you trust the app.

Do Developers Create Apps to Access Your Data?

Is it true that some software developers create apps just to gain access to your data? It’s happened before!

Consider the 2013 “Brightest Flashlight” case. An Android flashlight app called “Brightest Flashlight” siphoned location & device information from users. The app’s developers then sold it to advertisers without user consent. Even the FTC made a statement on this deception!

Smartphone manufacturers have responded to threats like this by making permissions more transparent, but you have only one person in control of your life: you.

It’s up to you to decide whether these extra features are necessary for the app’s operation and whether it’s worth allowing access to features that only bring minor benefits.

At Mobilen, we can see a trend that mobile privacy theft is on the rise.