Downloading an application on an Android device is fairly simple: access the Google Play find the app you want to download and press the button that says install. The next step of reviewing any requested permsssions is very important. While you may limit application functionality, don’t simply hit ‘Allow’ to all the various requested permissions.
The following permission requests carry particular potential dangers and deserve careful attention:
- Phone permissions — These permissions give an app the ability to interact with your calls and call history. As a result, the app can make calls (including those that use Voice over Internet Protocol, or VoIP), as well as read and edit your calls list. An app with these permissions can also read your network information to collect data on the calls that you have made, and can even redirect your calls or hang up the phone.
- SMS permissions — These permissions give an app the ability to both send SMS messages and read any that are incoming. Not only does this present some obvious privacy concerns, it also means that a criminal could leverage this access to add paid services to your account without your consent. Additionally, if you are using any applications that rely on SMS (text messages) for 2-factor authentication, a malicious app could compromise your login security!
- Contact permissions — As with any of the permissions on this list, there are completely aboveboard reasons that an application would require access to your contacts, as well as the ability to edit them. However, in the wrong hands, your contact list becomes a resource for a spammer to pull their next victims from AND CAN BE USED TO FACILITATE SOCIAL ENGINEERING ATTACKS (particularly in combination with the two above permissions, where people could call or text purporting to be you).
- Calendar permissions — With these permissions granted, an app can read, edit, and create events in your calendar. However, this also means that an app can review your calendar without restriction, with the ability to edit or remove anything they want.
- Camera permissions — These permissions, perhaps obviously, allow an app to utilize your phone’s built-in camera to capture images and video. However, these permissions don’t specify that the app has to necessarily be in use to do so, allowing the app to potentially record your life whenever it wants.
- Microphone permissions — Just as the camera permissions allow an app to capture visual content, microphone permissions allow an app to use the onboard microphone to capture sounds and audio. Also like camera permissions, there is nothing that says the application has to be in use for it to do so, and so an app could potentially record anything your device could pick up at any time.
- Storage permissions — If granted these permissions, an application can read and write information to your phone’s storage, whether it’s in the onboard storage or an added SD card. Like other permissions with the “Dangerous” label, this also means that the app can edit and remove files from data storage.
- Location permissions — These permissions allow an app to read your location at any time. Based on what the app is looking for, this location is either very exact (coming from GPS data) or a more general one (based on local Wi-Fi hotspots and cellular base stations). This could create a problem, as a criminal could potentially obtain your location history from the app and use it to establish your behaviors.
- Body sensor permissions – These are not seen quite as often as other permissions, but you are apt to see them if you use certain accessories (like fitness trackers) and their associated apps to track your health data. These permissions allow the app to access that data.
Weigh the potential value of particular applications versus potential risks. A messaging application without SMS permissions may not be able to do its job. Social networks may request access to the camera in order to take the photos that you edit and share. Security always involves tradeoffs between convenience and security.
Always consider why an app might request certain permissions, and if there is actually any reason that those permissions are necessary for the app to function. Evaluate your options and consider if this particular app is really the best solution. There are Mobile Device Management solutions which can do things to partition business and personal data and also restrict what apps might be allowed to be installed on a phone used for business. Tools like Maas360 is a fairly popular example. A primary challenge with this solution is that while it separates business and personal data, it significantly changes the user experience in the process.
Included in the many useful features available in GSuite (Google’s Business Productivity Suite) include Mobile Management (MDM) which allows your business to whitelist approved applications to help reduce risks and improve your company’s security. While there are some similarities to Maas360, GSuite takes a different approach, which may help improve security while minimizing impact to user experience.