Dear Lifehacker, I read your article about Chrome permissions last week, but I want to know about Android app permissions. It seems like every app developer wants access to so much on my phone! Do they really need all those permissions, or are they just harvesting my data? Sincerely, Paranoid Android
Dear Paranoid Android,
Android permissions are simultaneously an Android developer's best friend and worst enemy. Some of the best apps available from even reputable app developers and companies still need some pretty deep permissions in order to do basic things. On the other hand, the controversy around Android malware definitely makes that long list of permissions a scary experience. Let's see if we can set your mind at ease.
Read the Permissions List and Tie It Back to the App's Features
Every time you install an app in Android, you're presented with the list of permissions the app requires in order to work. If you're not reviewing that list before you click "Install", start now — you'll get a better understanding of what information an app really needs and what functions the app can access. It's tempting to just skip past it, but resist: you should at least look them over.
The first thing to understand is what all those permissions actually mean. Some apps ask for lots (Facebook, Google+, Gmail), while others ask for relatively few. This thread at Android Forums does a great job of explaining how permissions work and what each type does, complete with examples for what each permissions type means.
Ultimately, you want to understand why an app is requesting for those permissions. Make sure you read the list of permissions and try to correlate each one back to some feature or function of the app. If you can reasonably tie an app's permissions back to a feature (an SMS app that needs to read SMS messages, or a caller ID app that needs access to "read phone state and identity", for example) then there's little to worry about. Let's face it: most of the time, the reason an app asks for the permissions it does is because it needs them to work.
The only notable exception to this rule are apps that require root. When you root your Android phone, you grant yourself that level of access to the inner workings of your phone's OS. When an app pops up a superuser request and asks for root, you should think seriously about whether the app needs it.
Apps like ROM Manager and Titanium Backup need root because they're performing system-level tasks on your phone. However, if a clock app or even a new app launcher requests root, make sure you understand why it needs it before you click "Allow".
Watch Out for Apps that Combine Permissions for No Reason
I spoke to Prateek Srivastava, a CS student and Android developer, about what all of those permissions mean and whether they're inherently dangerous. He explained that most permissions alone are pretty harmless:
"Even by itself, the internet permission can't do much — and is likely needed by most apps to display ads. What you should really watch out is for apps that are combining permissions willy-nilly. For instance if you had an ad-supported file browser app that requested permissions to your read your storage, and to the internet to display ads — there's no way to prevent the app from just posting your data on your phone's file systems (including your camera pictures) to the internet."
Its true. Even apps that seem to have legitimate uses for multiple permissions may be dangerous. MakeUseOf explains some of the permission types you should look out for, especially when they're combined in a single app, as does Matthew Pettitt in this great article. It's easy to get frightened when you see how much information many apps ask for — even apps from trustworthy sources — but you have to ask yourself these questions when you see these long permissions lists:
- Is this app from a trustworthy developer? Does it look like malware?
- Do I understand why this app needs these permissions?
- Does the developer explain to me why they need these permissions? (Are they listed at Google Play, along with the reasons for each permission request? Often, they are.)
If the answer to all three of these questions is yes, you're in good shape. If you start answering no, you should begin to consider whether you really need the app in question. Even apps from trustworthy developers can collect a great deal of data, either for advertising and marketing purposes, or because someone screwed up. If you have an app from a developer you've never heard of, and it doesn't explain why it needs the permissions it does, stay away unless you understand that the permissions are necessary for the type of app it is.
Encourage Developers to Explain their Permissions Needs at Google Play
Looking at an app that requires a lot of permissions can be scary, but make sure to check the app listing at Google Play before you jump to conclusions about it. As we mentioned above, if the developer explains why each permission is required for the app to function, you don't have anything to worry about unless you think the app is doing something else behind the scenes. If it is, you'll probably see people talking about that in the app reviews.
Check the app's description on Google Play to see if the developer's listed out the permissions at the bottom of the list of features. More and more devs are doing this, partially because they know they have to in order to combat paranoia, but also to be transparent about what information their app needs from you. Even if they don't list it at Google Play, you'll often find more information at the developer's website. To-do manager Any.DO, for example, asks for some pretty scary-looking permissions, but one glance at its Android FAQ should put your fears to rest.
"For developers, Google themselves recommend you request as few permissions as possible. Developers are also lazy — for instance most developers would just request your user account information to identify the user uniquely from their email address or phone number (this could be for many reasons — maybe server side validation that the app isn't pirated). A better way to do this is outlined here (without any personal information required)."
This is all the more reason developers need to be transparent about the permissions they request, he said, and why users need to be careful — not paranoid — and challenge devs when they don't know why an app needs the permissions it does.
Monitor and Tweak App Permissions On Your Own
If you really want to install an app that has questionable permissions, or an app with permissions you just don't understand (or don't think are necessary for the app to work), there are apps that can help. Some will stop intrusive apps from getting the data they want, others will just monitor the apps you install to see if they're doing anything fishy. For example:
- PDroid Privacy Protection is a previously mentioned app that keeps an eye on the types of information that your apps request and lets you allow or disallow it on a per-app basis. You can block access to personal or identifying information for each app you have installed, and it won't break the app in the process.
- LBE Privacy Guard acts a bit like an app-based firewall for Android, notifying you when an app tries to access data and giving you the choice to allow or deny it. The key is that if you deny something an app needs to function, it may very well crash, so you'll have to think before you tap. Keep in mind people loved the old version and the new version hasn't been as well received at Google Play, so your mileage may vary.
- PermissionDog is another app we love because it shows you exactly how dangerous your installed apps are at a glance. You can tell just by scrolling through the list which ones are OK and which ones you should pay closer attention to.
- Pocket Permissions is a complete guide to app permissions. It's helpful for Android beginners or anyone else who's interested in the topic, and wants more detail about what each permissions type means specifically, and what data is available when that permission is granted. You can use the app to research permissions and understand why other apps need them, search by permission to see which apps request it, sort by risk or importance and more. It's $1.99, but it's a worthwhile guide.
Research Before You Panic
There's no reason to rage every time you find an app that requires a good number of permissions. In many cases, the problem may just be that you don't understand why the app needs the permissions it does — it could be some dependency in Android that the developer had to fulfil in order for the app to work.
It could be a feature in the app that you don't fully understand. Before you fly off the handle and accuse the dev of stealing your data, check Google Play or ask them directly. If that sounds like too much effort, just don't install the app and find an alternative that's more transparent.
"In the end, as a user, you really have to trust the developer about what they're doing with the permissions. You can make a good educated guess, but that's about it. As a developer, you have to be transparent about what and why you need every permission. For instance if you need to collect analytics about your app and post the results to the server, you need the internet permission. But if your app is just a clock app — users are going to be confused why you have the internet permission."