When you download most apps from the Google Play Store, you see a screen that looks something like the following:
What this screen is giving you is a list of application permissions that the app you are about to install is asking for. But what are application permissions anyway?
The Android Operating System (OS) is structured in such a way that individual applications are isolated from one another and from the operating system itself. This means that by default one application cannot start another application, nor can it access the data used by other applications. This is a central security feature of the Android OS. In order for one application to share the resources or data of another, you must provide explicit permission for it to do so. Of course nearly every app does require that you grant at least a few permissions in order for it to function. Google Maps isn’t going to work very well if it can’t access your GPS receiver, for example, and posting photos directly to Facebook is made easier by granting access to your device’s camera.
It can be scary sometimes, reading down the list of everything that a seemingly simple app might want access to. Do you need to worry that some innocent game will download all of your personal contacts and sell them off to telemarketers? Actually yes, you do. But this is a multifaceted problem for most ordinary users: What do these permissions actually mean? Why does this app need so many of them? How do I know what’s safe?
What Permissions Do I Need to Worry About?
Most of them, or none of them. I know that’s not much of an answer, but the fact of the matter is that it honestly depends. There are literally dozens of Android permissions, and learning the finer points of every one could be a college course of its own. Scary sounding permissions like “Full network access” are necessary for apps to connect over the internet directly without first opening a web browser, but if you combine that with “Read your contacts” then nothing is stopping an app from sending the entire contents of your contacts list anywhere in the world. “Take pictures” and “Record audio” can let an app turn your phone into an on-demand spying device without you even knowing about it, but are necessary for an app to access your device’s camera or microphone. Granting “Directly call phone numbers” or “Send SMS” permissions will allow an app to place calls or send text messages directly, possibly at a cost, and without you having to click a send button. But if you’ve ever called someone by clicking the telephone icon you see in Facebook Messenger, that’s how it happens.
Why Does an App Need All These Permissions?
If an application requests a particular permission, most of the time it’s for a perfectly legitimate function. Your third party texting app needs to be able to receive, read, and send both SMS and MMS messages. It will also likely require permissions for your phone’s contacts and local data storage. If you want to take pictures and send them via text message, then you’ll be giving camera permissions as well, etc… If the app is supported by advertisements, then chances are it may very well ask for permissions to determine your location and maybe read your browser history too. This is usually pretty innocuous (if you consider targeted advertisements to be innocuous) but this is where you have to start paying closer attention. Once you give an application rights to your personal data, you don’t really have any idea where it goes or who does what with it.
Be wary when an app asks for permissions that don’t make sense to you. App stores are littered with free games and utilities that are free because they’re just a front for mining your data. When you grant application permissions, you’re allowing access to anything that particular permission gives access to.
Can I Control Permissions Individually for Each Application?
No, not really. If you want to install an application then you get one chance at Yes/No. You can’t authorize some permissions but deny others. If you don’t like what an app is asking for, then you should not install it. There are ways around that, but these methods are not part of the normal operation of the Android operating system. Selectively controlling application permissions involves delving into the seedy underworld of root-access applications. Unless you really know what you’re doing, ypu shouldn’t root your phone. Not only can attempting to root your device damage it, but even if successful doing so can expose your device to all sorts of dangers.
Can an Application Change its Permissions?
Granting permissions is an install-time activity. Just like you can’t change the permissions for an app that you’ve installed, an app that’s been installed can’t go and grant itself additional permissions later. If a later update of an app requires additional permissions, then you will be shown the application permissions authorization screen when you download and install it. Also, if you have automatic updates turned on for a particular app it will not do so if the permissions have changed. So if the Play Store is telling you that you need to run an update yourself, or if you see that permissions screen for an app you’re already installed, pay attention!
How Can I Stay Safe When Downloading Apps from the App Store?
Most of the apps out there do exactly what they say and nothing more but you should still take care. Start by using common sense. Google Play is a pretty wide open market and so is the Amazon App Store. If an app isn’t available there it’s probably for a good reason, so avoid third party application stores. Before you download an app, take a few minutes and actually read the entire app detail page on the Play Store before you begin your download. Are the required permissions spelled out for you before you initiate the download? Can you tie each permission to an advertised application function? How many people have downloaded it before? Are the reviews generally favorable? Do the bad reviews warn of malicious activity? Does the application developer have a web page you can go read to find out more information? Do they have contact information themselves? Not every developer does, of course, but if you’re worried about what the app has access to and you can’t find anyone to ask questions, that’s a red flag.
What about Sideloading Apps?
Sideloading refers to the process of installing an application directly on to a device without acquiring it from the Google Play Store. Copying an installation package file from another device or downloading it from a website are both examples of sideloading. Since the application file isn’t coming from the Play Store, you don’t always know that it’s safe. Luckily, the default Android Security setting is to disallow the installation of apps from unknown sources. If you do elect to sideload an app then you’ll see the normal permissions authorization screen in any case, but be double sure that you read what it says. Also be sure to adjust your settings afterward to once again disallow installation of apps from unknown sources.
The BIG caveat for sideloading is the Amazon App Store. It’s not Google, it’s Amazon. To even install the Amazon App Store on many Android devices you’ve got to enable sideloading, and then everything you install from the Amazon App Store is, itself, sideloaded. If you are interested in using the Amazon App Store instead of the Play Store, take into account that doing so necessitates opening up a hole in Android’s native security.
The good news is that even sideloaded applications will present you with a permissions screen. It may look a little different, but the required authorization of application permissions is baked into your device’s operating system. Any time that you attempt to install an application that requires permissions on your device, you must authorize them before the installation can proceed.
Application permissions are the keys that unlock the functionality of your Android device and keep different components secure from one another. The most impactful thing that you can do to make sure that you’re not affected by malicious applications on your device is to be aware of what you’re installing. Read the App Permissions screen that you are displayed when you elect to download an application, and if you don’t understand or trust everything listed, then don’t install the application. Contact the app developer if you have questions. Stay away from third party application stores unless you really know what you’re doing. However, don’t assume that every application out there is trying to steal your data because they aren’t. If you don’t understand why a particular permission is required, it is probably related to a piece of functionality that you didn’t realize was part of the app. Before getting upset and accusing a developer of trying to steal your personal data, check the Play Store or ask the developer directly; or find an alternative app that’s more transparent.
Be safe out there!