Jamf Blog
February 21, 2018 by Michelle Base-Bursey

What are app permissions - a look into Android app permissions

Guide to app permissions, what they are, how they work and why end-users should be wary of which permissions they grant to certain applications.

With a bewildering array of ways to customize our phones, we purchase and download apps (giving them endless permissions) just as often and as easily as we buy coffees.

The process has been streamlined to include just a few painless taps, and voila, you have access to that spanking new functionality. The one you so desperately thought you needed 5 minutes ago.
Usually, this all takes place only for you to find out that the new app isn’t as life-altering as you thought it would be. But hold on a minute, what was involved in that process again? What did you do in between wanting and getting that app? While it only seemed like a few taps of ‘okay,’ you may have just given away pivotal permissions. Those seemingly insignificant acceptances could result in a compromise of your personal or corporate data.

Good apps don’t request ‘risky’ permissions, right?

There are millions of apps available to users, and while some are in fact ‘safe’ and treating your personal data with the utmost care, the vast majority are not. This includes apps that make their way onto Google Play and App Stores.

While seemingly harmless, these apps can easily be compromised. This can be done either by developers themselves or by malicious third parties through vulnerabilities in the app’s code.
That’s why it’s so important to pay attention to the permissions you’re granting apps (and not just to those apps you would consider to be risky). Regardless of where you find them or how innocent you think they are, there’s always a risk of compromise. As a consumer or a business enabling your employees with corporate mobile devices, you must be proactive and monitor app permissions before they become problematic.

What are app permissions?

Have you ever asked yourself, ‘what are app permissions?’ Chances are you have when different mobile apps ask to “access your personal info” or something similar. It’s vital to understand exactly what app permissions are, when you are notified of them, how you can manage them, and what app permissions to avoid.

App permissions determine what exactly the app you are attempting to download has access to on your device.

For the purposes of this article, we will be focusing on Android app permissions. The most important thing to understand about these app permissions is that they aren’t optional. Unless you make the choice not to download the app, the SDK will receive all of the permissions it requires once it is installed on your device.

In the process of installing an app from the Google Play Store, for example, you will receive a popup on your screen of all the permissions the app will require. It’s becoming increasingly important that you both read through and understand these permissions to know exactly what the app will have access to.

As a business, it’s very difficult to monitor every single permission every app on every device within your mobile estate has access to. In fact, it’s nearly impossible unless you have full visibility into mobile device traffic.

What are the most commonly requested Android app permissions?

Across a global network of devices using Jamf, we analyzed the top 20 permissions requested by Android applications. You may be surprised to hear that 45% of them are considered (by our standards) to be highly risky, which may nudge you to revoke app permissions on Android applications.

The goal of this analysis is, of course, not to say that if an app requests a certain ‘high risk’ permission, it is a malicious app. Some apps request these permissions simply to perform functions that benefit your overall user experience.
The fact remains that by giving an app access to a high-risk facet of the device, you’re opening yourself and your data to the risk of compromise. Take a look at a few on this Android app permissions list:

Other high-risk permissions requested

There are other, not as frequently requested permissions that are essential to keep in mind as a user or a business. Here at Jamf, we consider them to be both highly risky and oftentimes unnecessary to the app’s purpose.
Name: android.permission.CALL_PHONE
Title: “Directly call phone numbers”
Description: Allows the app to call phone numbers without your intervention. This may result in unexpected charges. Note that this doesn’t allow the app to call emergency numbers.
% of apps: 9%
Name: android.permission.RECEIVE_SMS
Title: “Receive text messages”
Description: Allows the app to receive and process SMS messages. This means the app could monitor or delete messages sent to your device without showing them to you.
% of apps: 5%
Name: android.permission.WRITE_CONTACTS
Title: “Modify your contacts”
Description: Allows the app to modify the data about your contacts stored on your phone, including the frequency with which you’ve called, emailed, or communicated in other ways with them. This permission allows apps to delete contact data.
% of apps: 5%
Name: android.permission.READ_SMS
Title: “Read your text messages”
Description: Allows the app to read SMS messages stored on your phone or SIM card. This allows the app to read all messages, regardless of content or confidentiality.
% of apps: 5%
Name: android.permission.READ_CALENDAR
Title: “Read calendar events”
Description: Allows the app to read all calendar events stored on your phone, including those of friends or co-workers. This may allow the app to share or save your calendar data, regardless of confidentiality or sensitivity.
% of apps: 4%
Name: android.permission.SEND_SMS
Title: “Send SMS messages”
Description: Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.
% of apps: 4%

The verdict

While these permissions for Android apps may seem somewhat obscure because they’re requested by fewer than 10% of apps, it’s important to keep in mind that this analysis is based on data pulled from apps that are currently installed on devices within the Jamf global network.
In other words, these permissions are currently enabled on real-world corporate devices and can be taken advantage of at any time. This absolutely heightens the risk of data breaches and malicious third-party exploitation for organizations.

Weighing the pros and cons

The above analysis clearly illustrates the fact that permissions are not something to scoff at nor ignore when downloading apps.

Visibility is the most important thing when it comes to evaluating the safety of apps and what exactly you’re giving up when you hit accept. Sometimes, however, that new app just isn’t worth the potential cost.

For businesses, however, visibility isn’t as easy. You can’t monitor every app your employees are downloading every day. That’s where Jamf's App Insights feature comes into play. The App Insights report from Jamf presents admins with a 360-degree view of apps installed across the mobile fleet. Not only that, but it also gives a detailed view of the permissions required by each of these apps, which will help you determine which app permissions to avoid. As an admin, this makes it easy to evaluate what high-risk permissions exist on what devices and take the necessary action required to ensure mobile app security.

We hope this look into Android app permissions helped to answer what app permissions are. More importantly than what app permissions are, which you should avoid and which are simply there to enhance your experience using the app.

Michelle Base-Bursey
Jamf
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.