With a bewildering array of ways to customize our phones, we purchase and download apps (giving them endless permissions) just as often and as easily as we buy coffees.

The process has been streamlined to include just a few painless taps, and voila, you have access to that spanking new functionality. The one you so desperately thought you needed 5 minutes ago.
Usually this all takes place only for you to find out that new app isn’t as life-altering as you thought it would be. But hold on a minute, what was involved in that process again? What did you do in between wanting and getting that app?
While it only seemed like a few taps of ‘okay,’ you may have just given away pivotal permissions. Those seemingly insignificant acceptances could result in a compromise of your personal or corporate data.

Good apps don’t request ‘risky’ permissions, right?

There are millions of apps available to users, and while some are in fact ‘safe’ and treating your personal data with the utmost care, the vast majority are not. This includes apps that make their way onto the Google Play and App Stores.
While seemingly harmless, these apps can easily be compromised. This can be done either by developers themselves, or by malicious third parties through vulnerabilities in the app’s code.
That’s why it’s so important to pay attention to the permissions you’re granting apps (and not just to those apps you would consider to be risky). Regardless of where you find them or how innocent you think they are, there’s always a risk of compromise.
As a consumer or a business enabling your employees with corporate mobile devices, you must be proactive and monitor app permissions before they become problematic.

What are app permissions?

Have you ever asked yourself, ‘what are app permissions?’ Chances are you have when different mobile apps ask to “access your personal info” or something similar.  It’s vital to understand exactly what app permissions are, when you are notified of them, how you can manage them, and what app permissions to avoid
App permissions determine what exactly the app you are attempting to download has access to on your device.
For the purposes of this article, we will be focusing on Android app permissions. The most important thing to understand about these app permissions is that they aren’t optional. Unless you make the choice not to download the app, the SDK will receive all of the permissions it requires once it is installed on your device.
In the process of installing an app from the Google Play Store, for example, you will receive a popup on your screen of all the permissions the app will require. It’s becoming increasingly important that you both read through and understand these permissions to know exactly what the app will have access to.
As a business, it’s very difficult to monitor every single permission every app on every device within your mobile estate has access to. In fact, it’s nearly impossible unless you have full visibility into mobile device traffic.

What are the most commonly requested Android app permissions?

Across a global network of devices using Wandera, we analyzed the top 20 permissions requested by Android applications. You may be surprised to hear that 45% of them are considered (by our standards) to be highly risky, which may nudge you to revoke app permissions on Android applications.

Rank Name Description % of apps Risk level
1 android.permission. INTERNET
“Full network access”
Allows the app to create network sockets and use custom network protocols. The mobile browser provides all apps means to send data to the internet, so this permission is not essential for internet connection. 90% Low
2 android.permission. ACCESS_NETWORK_STATE
“View network connections”
Allows the app to view information about network connections such as which networks exist and are connected to. 86% Low
3 android.permission. WRITE_EXTERNAL_STORAGE
“Write to SD card”
Allows the app modify or delete the contents of your SD card. 68% High
4 android.permission.WAKE_LOCK
“Prevent sleeping”
Allows the app to prevent the phone from going to sleep. 62% Low
5 android.permission. ACCESS_WIFI_STATE
“View Wi-Fi connections”
Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices. 45% Low
6 com.google.android. c2dm.permission.RECEIVE
“Receive internet data”
Allows apps to accept cloud to device messages sent by the app’s service. Using this service will incur data usage. Malicious apps could cause excess data usage. 44% Low
7 android.permission. VIBRATE
“Control vibration”
Allows the app to control the vibrating function of the device. 39% Low
8 android.permission. READ_PHONE_STATE
“Read phone status”
Allows the app to access the internal features of the device. It gives the app the ability to determine the phone number and device IDs, whether a call is active, and the remote phone number of a caller. 33% High
9 android.permission. ACCESS_FINE_LOCATION
“Precise location”
Allows the app to get your precise location using GPS or network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine where you are/ This may consume additional battery power. 32% High
10 android.permission. READ_EXTERNAL_STORAGE
“Read SD card”
Allows the app to read the contents of your SD card. 31% High
11 android.permission. ACCESS_COARSE_LOCATION
“Approximate location”
Allows the app to get your approximate location. This location is derived by location services using network location sources such as cell towers and Wi-Fi. Once again, these location services must be turned on and available to your device for the app to use them. 30% Low
12 android.permission. RECEIVE_BOOT_COMPLETED
“Run at startup”
Allows the app to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allows the app to slow down the device by constantly running. 29% Low
13 android.permission. GET_ACCOUNTS
“Find accounts”
Allows the app to get the list of accounts known by the phone. This may include any accounts created by other applications you have installed. 27% High
14 android.permission.CAMERA
“Take pictures and videos”
Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation. 21% High
15 android.permission. BLUETOOTH
“Pair with Bluetooth devices”
Allows the app to view the configuration of Bluetooth on the phone, and to make and accept connections with paired devices. 14% Low
16 android.permission. READ_CONTACTS
“Read contacts”
Allows the app to read data about your contacts stored on your phone, including the frequency with which you’ve called, emailed, or communicated with them in other ways. This permission allows apps to save your contact data. Malicious apps may share contact data without your knowledge. 13% High
17 android.permission. CHANGE_WIFI_STATE
“Connect and disconnect Wi-Fi”
Allows the app to connect to and disconnect from Wi-Fi access points and to make changes to your device configuration for Wi-Fi networks. 13% Low
18 android.permission. GET_TASKS
“Retrieve running apps”
Allows the app to retrieve information about currently and recently running tasks. This may allow the app to discover information about which applications are used on the device. 13% Low
19 android.permission. WRITE_SETTINGS
“Modify system settings”
Allows the app to modify the system’s settings data. Malicious apps may corrupt your system’s configuration. 12% Low
20 android.permission. RECORD_AUDIO
“Record audio”
Allows the app to record audio with the microphone. This permission allows the app to record audio at any time without your confirmation. 11% High

The goal of this analysis is, of course, not to say that if an app requests a certain ‘high risk’ permission, it is a malicious app. Some apps request these permissions simply to perform functions that benefit your overall user experience.
The fact remains that by giving an app access to a high-risk facet of the device, you’re opening yourself and your data to the risk of compromise. Take a look at a few on this Android app permissions list:

Other high-risk permissions requested

There are other, not as frequently requested permissions that are essential to keep in mind as a user or a business. Here at Wandera, we consider them to be both highly risky and oftentimes unnecessary to the app’s purpose.
Name: android.permission.CALL_PHONE
Title: “Directly call phone numbers”
Description: Allows the app to call phone numbers without your intervention. This may result in unexpected charges. Note that this doesn’t allow the app to call emergency numbers.
% of apps: 9%
Name: android.permission.RECEIVE_SMS
Title: “Receive text messages”
Description: Allows the app to receive and process SMS messages. This means the app could monitor or delete messages sent to your device without showing them to you.
% of apps: 5%
Name: android.permission.WRITE_CONTACTS
Title: “Modify your contacts”
Description: Allows the app to modify the data about your contacts stored on your phone, including the frequency with which you’ve called, emailed, or communicated in other ways with them. This permission allows apps to delete contact data.
% of apps: 5%
Name: android.permission.READ_SMS
Title: “Read your text messages”
Description: Allows the app to read SMS messages stored on your phone or SIM card. This allows the app to read all messages, regardless of content or confidentiality.
% of apps: 5%
Name: android.permission.READ_CALENDAR
Title: “Read calendar events”
Description: Allows the app to read all calendar events stored on your phone, including those of friends or co-workers. This may allow the app to share or save your calendar data, regardless of confidentiality or sensitivity.
% of apps: 4%
Name: android.permission.SEND_SMS
Title: “Send SMS messages”
Description: Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.
% of apps: 4%

The verdict

While these permissions for Android apps may seem somewhat obscure because they’re requested by fewer than 10% of apps, it’s important to keep in mind that this analysis is based on data pulled from apps that are currently installed on devices within the Wandera global network.
In other words, these permissions are currently enabled on real-world corporate devices and can be taken advantage of at any time. This absolutely heightens the risk of data breaches and malicious third party exploitation for organizations.

Weighing the pros and cons

The above analysis clearly illustrates the fact that permissions are not something to scoff at nor ignore when downloading apps.
Visibility is the most important thing when it comes to evaluating the safety of apps and what exactly you’re giving up when you hit accept. Sometimes, however, that new app just isn’t worth the potential cost.
For businesses, however, visibility isn’t as easy. You can’t monitor every app your employees are downloading every day. That’s where Wandera’s App Insights feature comes into play.
The App Insights report from Wandera presents admins with a 360-degree view of apps installed across the mobile fleet. Not only that, but it also gives a detailed view of the permissions required by each of these apps, which will help you determine which app permissions to avoid. As an admin, this makes easy to evaluate what high-risk permissions exist on what devices and take the necessary action required to ensure mobile app security.
We hope this look into Android app permissions helped to answer what app permissions are. More importantly than what app permissions are, is which you should avoid and which are simply there to enhance your experience using the app.
[text-blocks id=”3610″]