Managing Mobile App Permissions

February 14, 2020 | 6:01 PM GMT+0800 Last Edit: May 12, 2020

Android Application

This refers to a software application running on the Android platform. It is designed for a smartphone or a tablet PC running on an Android OS.

Mobile App Permission

Govern what the application can do and access, ranging from access to data stored in a mobile phone (e.g. contacts, media files, camera, microphone, etc.,) to access to a phone’s hardware.

Mobile Heart

Whenever Valentine’s Day comes around, there is a surge in usage of dating apps1. In 2017, a dating app recorded a 20%2 usage increase at this time of year and it is expectd to rise again in 20203.

To create an account, most apps require a user to fill out an online form or to connect through an existing social media account (e.g. Facebook or Twitter) to verify one’s identity. This way, dating apps gain access to and control of the user’s personal data.

In recent years, vulnerabilities that would put users’ personal data at risk have been uncovered. Though subscribing to a dating app may seem harmless, it is important to remember that it may adversely affect the users’ reputation and privacy.

According to the Open Web Application Security Project (OWASP)4, mobile applications are more susceptible to attacks than regular web applications. By downloading these applications, users unknowingly expose themselves to privacy risks.

In most cases, users are forced to accept permissions through an all-or-nothing approach (i.e. they cannot authorize just a subset of the requested permissions or cancel the installation of the selected application). Likewise, mobile app permissions are not well-defined to users (e.g. the permission SEND SMS allows an app to send SMS messages both to normal and premium numbers – not giving any options to users), making authorization decisions more difficult.

It should be noted that the inclusion of application permissions in privacy notices does not equate to transparency. In some cases, an application’s declared permissions are not consistent with those required.

1 https://www.gmanetwork.com/news/video/ijuander/421595/ijuander-may-forever-sa-tinder/video/
2 https://www.abc.net.au/news/2018-02-13/valentines-day-heats-up-online-dating-activity/9424450
3 https://technology.inquirer.net/46586/loveless-filipinos-turn-to-dating-apps-for-action
4 https://owasp.org/www-project-vulnerable-web-application/

Security Measures/Risk Mitigation:

Mobile applications bring convenience to users, improve how organizations provide services to customers and maximize smartphone technology. But these benefits must not come at the expense of users’ data privacy rights.

The following are things to consider when using apps:

  • Read privacy notices. A privacy notice will give you insights into how your data will be processed, the nature and extent of processing, your rights as data subjects and how you may exercise these rights.
  • Be mindful of the data you provide: Blank fields are enticing to accomplish but not all fields are meant to be filled out. Provide data that are only necessary to the application’s function.
  • Always check your privacy settings: Immediately after installation, take advantage of the applications’ privacy settings. This allows you to control who sees any information about you. Tweak the settings to improve your privacy and security.
  • Check the permissions: The majority of these applications collect excessive permissions – permissions that are not necessary for the applications to perform their functions. Excessive permissions may result in potential risks. You must disable all unnecessary and suspicious permissions before using an application.
  • Be careful of the people you meet: These days, it is easy to meet people online. You must be vigilant when using these applications and avoid sharing too much personal information.

There is a lack of transparency when explaining purpose of processing and final disposal of personal data collected by mobile apps. Privacy notices are not easy to read. Some are legal in nature and too long. Others refer to the blanket privacy notice of the entire organization, making it difficult for data subjects to read through it. In addition, certain mobile applications seek permissions that are not relevant to their functions.

Moreover, a majority of the applications do not provide a privacy notice before users sign up or create an account. Also, there are no standards for mobile application development which result in a developer’s tendency to seek excessive permissions.

In summary, the convenience that comes with using a mobile application may be the most unrecognized threat to privacy. Users often enjoy the convenience at the expense of their data privacy. People easily grant permissions to an Android app without carefully reading the terms and conditions.