iOS app permissions: Do companies really need all of that access?

To share or not to share

If you want to upload a photo to an app, it will need access to the photo in order to post it, sure. And if you want to use a GPS mapping function on your iPhone, it's necessary to give the app access to your location — for a time.

But sometimes, app developers may request access to personal information that they don’t actually need for the app to function. It might be merely sloppy code development or an attempt to personalize your experience. But they might also want to monetize you by selling your data without your knowledge.

Apple and Google have been cracking down on excess data collection by enforcing standards on Google Play and the App Store, but when it comes to privacy and safety, it’s best not to just depend on others. Everyone needs to pay close attention.

Developers need to evaluate their data collection practices to minimize potential privacy impacts, and consumers need to be aware of the privacy that they are giving up when they allow apps to access data and systems.

Our analysis of iOS app permissions

To better understand the use of app permissions and the information that app developers are trying to collect, Jamf has created a paper analyzing metadata within a sample of almost 100,000 popular apps across the App Store catalog.

in Q2 of 2021, we looked at the apps that Wandera customers have installed from 2.5 million devices, including only apps that had widespread adoption. (The metadata analyzed in this research comes from aggregated logs that do not contain personal or organization-identifying information.)

And we learned a few things.

Top four permissions

The top four permissions that apps request are:

• Photos
• Camera
• Location
• Microphone

Which apps request these permissions?

The top categories of app that requested these permissions were:

• Photo & Video, such as YouTube and FaceApp
• Shopping, such as Amazon, Shop, and eBay
• Social Networking, such as Facebook, Instagram and Twitter

Apps permissions to avoid

Access to too many photos

While it makes sense to allow social media apps access to photos in order to upload a snapshot, access to the user’s entire photo library is excessive. With iOS 14, Apple introduced more consumer control to iPhone privacy settings, requiring apps to offer a user the choice of allowing access to selected photos or the entire library. We recommend restricted access to only those images the app needs to perform a specific action.

Unlimited camera access

While this access is important for specific sessions with, say, Zoom or Microsoft Teams, allowing an app full access to your camera is a very bad idea. Historically, bad actors have used camera access to turn on the camera when the user isn’t aware of it. Make sure you allow access for specific, discrete actions.

Unlimited location access

Historically, Android users could “allow” or “deny” location access, and iPhone and iPadOS allowed “when in use” or “always.” With iOS 13, Apple introduced “allow once,” and Android 10 introduced “allow only when app is in use.”

Choosing the smallest window of location access is a user’s safest choice.

Stealth microphone access

Microphone access in the wrong hands can have serious consequences: apps can record and transmit private conversations without the user’s knowledge. In iOS 14, Apple introduced the orange dot that indicates when your microphone is in use by an app — an important privacy feature.

Inappropriate cross-app data sharing

Stop and think twice before allowing apps to share data such as contacts or other data. Does the app really need this information to function? There are quite a few examples of times when bad actors abused this permission, and even more in which companies simply used it to advertise to users, which some might not want.

What organizations can do to prevent inappropriate permissions

• Encourage your employees to take a close look at what apps request before tapping "accept." Does a shopping app really need their photos? Does it need their location?
• Regularly audit your iPhone privacy settings to ensure that apps don’t have too much access to your data.
• Use security products that offer app vetting.
• Use a security tool that can flag out-of-date OS versions within your company’s fleet of mobile devices.

Learn more about iPhone app permissions

For a more in-depth look at permissions, who asks for what, how they might be a danger to users and companies and how to control for privacy and security violations, download “An Analysis of iOS App Permissions.”