The number of applications seeking permission to access various data on your smartphone is scary. It might sound shocking but something as simple as a flashlight application requests for over 25 permissions on an average, says Avast, a global leader in digital security products.
Avast has analysed permissions requested by 937 flashlight apps, which includes many apps that are still available and also the ones that were made available once on the Google Play Store. Out of these, 408 requested for 10 permissions or less, 267 requested between 11 and 49 permissions, and 262 apps requested between 50 and 77 permissions.
The basic idea of gaining permission by applications is to access data or features on the device to work properly. However, over the last few years, an increasing number of applications have been trying to gain access to call records, contacts, emails, camera, photos and location.
Similar has been the case with flashlights apps. In a real-life scenario, the only access a flashlight app should need is the flash on the phone. But most of the applications request access to many more permissions. Surprisingly, most of flashlight apps gained over 70 permissions and had over 1 lakh downloads. Ultra Color Flashlight and Super Bright Flashlight gained access to 77 permissions each and had 100,000 downloads each. Flashlight Plus, Brightest LED Flashlight - Multi LED & SOS Mode, Fun Flashlight SOS mode & Multi LED had gained access to 76 permissions each, Super Flashlight LED & Morse Code had access to 74 permissions.
"Some of the permissions requested by the flashlight applications we looked into are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do," says Luis Corrons, Security Evangelist at Avast. "The flashlight apps we looked into are just an example of how even the simplest apps can access personal data, and it's often not just the app developers that gain access to data when users download an app, but the ad partners they work with to monetise. Developer privacy policies are unfortunately not inclusive, as in many cases, further privacy policies from third-parties are linked within them."
In the excitement of installing a new app, users end up giving permissions to whatever the app has been asking for. Avast says there is a gray area when it comes to flagging apps requesting too many permissions as malicious or potentially unwanted, as users themselves grant the permissions, which is why many security solutions do not mark them as malicious.
Apps can request outlandish permissions, but that does not mean they carry out malicious activities per se. When a user installs an app, they grant the app and any third-parties associated with it, the right to carry out actions the app lists in the permissions section. App developers often integrate ad software development kits (SDKs) into their code to earn money from advertisers. To allow these SDKs to target users with ads, the apps request countless amounts of permissions.
Since the last couple of Android OS updates, Google has made it easy for a user to check app permissions and even revoke the same. Within phone's settings is the 'App & Notification' option and 'App Permission' tab that shows the permissions apps have gained access to. This includes body sensors, calendar, call logs, camera, contacts, location, microphone, phone, SMS, storage and more.
It is therefore imperative that users carefully check the permissions an app requests for before installing the app. Users should carefully read the privacy policies and terms and conditions, as well as user reviews on the app's download page.