Shining a Light on Mobile App Permissions

Last weekend, I was doing some work around the house and needed a flashlight. I cursed having to get up and get one from the closet when my daughter said, “Use the flashlight app, Dad.” Then we discovered that my Android phone doesn’t have a built-in light.This, of course, led me to look for an app and spend much more time than getting off my lazy butt and getting a flashlight would have. Hey, this is the age of mobile convenience, and now that I have an app, I won’t ever be flashlight-less again! All a very worthwhile exercise – a great light that is handy and brighter than many real ones I have owned.All of this leads up to my diatribe on app permissions… Ready, set, go!I don’t have an exact count, but using the Google App Store, a search returns about 30 flashlight apps. Now, how do you pick one? This is a simple app, so maybe the answer should be simple. Cheapest? Best rated? Most downloads? A developer/vendor you recognize?All of those are decent criteria, and I use them as part of my decision process when looking at apps to download. But I think the best ways to filter your app choices is to look at the permissions required and ask “Why?” for each one.Is the permission required to do the job? Is it one that is necessary because there isn’t a finer grained permission (access to camera and storage required just to turn on the flash)? Or is it there to serve the app and its author (ads and/or feedback)? Or could it be malicious?The first of the flashlight apps I looked at clearly wanted more permissions than one should need or be willing to give a simple flashlight. Almost all of the apps I looked at wanted network access, supposedly to display ads, but clearly once granted network access, it is a matter of trust that the app doesn’t send personal data.Some want access to read phone status and identity, which is not anything I can rationalize for a flashlight. And even if that was a reasonable request so the app could monitor power consumption, why would it also need full network access or to modify system settings? This is a flashlight app we are talking about, isn’t it?Another concern raised here is the fact that app updates can change the permissions required, and in the case of auto-updates, the average user will never know the change happened. Users get notified of when new permission groups are added, but fine-grained permissions within a group can change without notification.That means that even when I make good choices, a patient attacker could get a decent number of downloads before the app is updated with new permissions and “features.” But going too far down that road might lead to paranoia and sanitariums.After Researching a few of these apps, I finally came across Privacy Flashlight that only requires access to the camera and the flashlight (research dependency between two permissions) that also satisfied my other concerns:Good reviews and a decent quantity of themA developer I could research and am satisfied isn’t a criminalA decent user baseFree is a very good price (all flashlight apps were free, so that wasn’t a deciding factor, but there are good reasons to avoid free apps – like they are more likely to contain ads and that can raise privacy concerns)BFFlashlightFor me, the hardest part was not choosing the first flashlight app that came up: Brightest Flashlight Free. (I hesitate to even link to the app, but this is the web). This is in spite of my focus on security and software as a profession, I was more interested initially in convenience and almost chose an app that uses an insane number of permissions[i] and appears, on a closer look, to track its users and do other little bits of nastiness (at least according to the large number of angry “customer” reviews).I included in the image above some of the permissions that caught my attention.  It requires a total of 8 permission groups, including Wi-Fi connection information, your location, and full network access.

Leave a Reply