We purchase and download apps, giving them endless permissions without hesitation so we can access all the flashy functionality they have to offer. But at what cost? It’s time to stop and read the fine print on iOS app permissions.
How do iOS app permissions work?
iOS app permissions allow you to streamline activity like automatically tagging photos with your physical location on Instagram or finding nearby restaurant options on Google Maps. Although you probably appreciate the convenience of an app having access to your private data, you should have control over it.
When it comes to personal information on iPhones, apps are required to request your permission to access it and explain why they need it. Personal information in this context includes things like current location, calendars, contact information, photos, and more. Apps usually ask for this level of access to improve functionality but sometimes it’s without any justification at all. This becomes an issue when sloppy development leads to bugs that leak data putting your privacy and security at risk. This is why it’s best to limit when apps collect this data.
To better understand the current state of iOS app permissions, we analyzed a sample of 30,000 unique apps that are most commonly installed within our network of corporate devices to find out more about what they are requesting.
What are the most frequently requested iOS app permissions?
- ‘Photo Library’ is requested by 62% of apps
- ‘Camera’ is requested by 55% of the apps
- ‘Location When In Use’ is requested by 51% of the apps
It’s no surprise that the majority of apps take advantage of Apple’s impressive camera technology, especially with the proliferation of social media apps like Facebook, Instagram, and Snapchat. Employees are increasingly using their smartphone cameras to take pictures of whiteboards in meetings. This puts sensitive corporate information like product roadmaps into their photo libraries. The camera is also commonly used for one-time use profile set-up to make it quick and easy to import profile pictures, scan QR codes and upload credit card information for example. The issue with these one-time use cases is, you may grant an app like Uber access to your camera or photo library to upload a profile picture or credit card information and then forget about it, leaving that access open at all times.
Which iOS app permissions are the riskiest?
The following permissions are classified by Wandera as ‘high risk’ and there is a large portion of apps requesting them. Think about the functionality of your favorite apps – like maps, rideshare apps, and social media – they would be practically useless without allowing this “risky” access. It’s an unfortunate battle between privacy and convenience.
|Permission||Risk level||Percentage of apps|
In July 2019, FaceApp, a Russian app that adds an aging filter to your selfies, sparked concern about its access to users’ photo libraries. According to this article, the app can access a single photo even if the user has set the app’s access to their photo library to ‘never’. This is due to an Apple API introduced in iOS 11 and something that many apps use. So it’s not necessarily breaking any rules, but it did draw attention to rampant photo collection by tech giants.
According to a BMJ study of 24 health apps in 2019, 19 of them shared user data with companies, including Facebook, Google, and Amazon. The study warns this data could be passed on to other organizations such as credit agencies or used in targeted advertising.
In 2018, a New York Times investigation into the misuse of location data discovered an app called WeatherBug that was tracking users’ movements and sending that precise location data to 40 different companies to enable their targeted advertising campaigns. This raises concerns over how securely this highly sensitive data is being handled and where it is ending up.
In 2016, Uber released an update that allowed the company to collect users’ location data five minutes after a trip ends and even when the app isn’t being used. In 2017 they removed that controversial feature due to users’ privacy concerns.
In 2015, there was a class action lawsuit against LinkedIn for it’s ‘add contacts’ feature that gave permission to LinkedIn to scrape users’ device contact lists and automatically send out multiple messages on behalf of the user, inviting those contacts to connect.
Even permissions we don’t classify as ‘high risk’ can be misused and therefore deserve careful consideration. The Heart Rate Measurement app found on the App Store claimed to read the user’s heart rate through their fingertip using Touch ID, but it actually used their fingerprint to authorize a transaction for $89.99 while dimming the screen to add confusion.
How many iOS app permissions are usually requested?
- Most apps request 5 or less permissions
- When apps prompt for permissions they typically request 3-4
Apple treats app permissions differently to Google. While Android app permissions cover a vast list of device functions (e.g., view network connections, pair Bluetooth devices, and run at startup), iOS app permissions only include those that access your personal information, so the list is much shorter. On iOS, functions like accessing the internet and Siri aren’t considered permissions. This may explain why 17% of iOS apps ask for no permissions at all.
Which app categories are the most hungry for permissions?
- Apps that fall in the Social Network category ask for the most permissions, requesting 4.96 on average
- Weather is close behind with 4.73 permissions on average
- Shopping (4.5), Health & Fitness (4.48), and Finance (4.37) apps are also at the top of the list
Below is an overview of the permissions requested by each app category. The percentage indicates what portion of apps per category contained the specific permission:
- 62% of apps in the Social Networking category request ‘Location When In Use’
- 76% of apps in the Shopping category request ‘Photo Library’ and 40% request ‘Location Always’
- 62% of apps in the Weather category ask for ‘Photo Library’
Do paid and free apps request a similar number of permissions?
Of the apps analyzed, 95% are free and 5% are paid. More than a quarter of the paid apps request no permissions, whereas only 15% of the free ones ask for no permissions. There is no clear reason why paid apps seem to be less likely to ask for access to personal data than free apps, but one theory could be that app developers are looking for some sort of exchange. With paid apps, we exchange money for access to the app, whereas with “free” apps, we’re exchanging personal data for the app. This data could then be sold to data brokers who make money for selling the information. With that data in the wrong hands, that free app might actually cost us a lot.
It might also be the nature of paid apps – their value exchange is usually to provide information or entertainment and therefore don’t require access to your personal data in order to function – like video games and podcast apps for example.
In order to minimize the risk of having your sensitive information exposed to unwanted parties, we recommend the following precautions:
- Regularly check your app permission settings. Do this by going to Settings > Privacy and check under each permission category for apps that don’t need that specific access to function
- Read the purpose string or usage description string carefully when a permission request pops up. Developers are required by Apple to explain to the user why a certain app permission is needed
- Delete apps you no longer use to minimize the risk of bugs appearing in old or abandoned apps. There is an iOS feature available that will automatically offload unused apps after a period of time. Activate it by going to Settings > General > iPhone Storage > Offload Unused Apps