App permissions: We are our worst enemy

The recent disclosure that iOS allows apps to send personal contact lists to the developer's servers without permission created a justified uproar. Unfortunately users are the real culprits.
Written by James Kendrick, Contributor

The recent discovery that the Path app was uploading users entire contact lists to the company's servers riled up the tech community. The uproar escalated quickly to outrage with the admission that iOS allows this to happen without asking the user for permission. The tech press questioned how that could happen with the importance of privacy and security in this day and age. While the Path situation was quickly defused with the company's apology, followed by the tech press falling on each other like wild dogs, had the app requested permission in advance it wouldn't have made much difference.

Don't misunderstand me, I believe user privacy and the security of apps is of utmost importance. There are too many ways that this can be abused, and the results of abuse can be devastating. All mobile apps should take adequate steps to inform the prospective user exactly what personal information is going to be accessed, and what is going to be done with it. This will keep developers honest with users, and transparent in how their apps are using this information.

Unfortunately, the weakest link in the open disclosure process are we the end users. Even if we are informed at app installation exactly how the app will tap our information, odds are we'll just approve it and move right along. This happens at the installation of just about every Android app.

See also: Android security deep dive (video)

Android does a great job forcing app developers to inform the prospective user just what sort of permissions are required and what information the app will access. It also makes the user aware of exactly how the app can take over key areas of the device to perform the tasks needed by the app.

Some Android developers have a CYA approach when it comes to asking for permissions, and have the app ask for far more permissions than the app actually needs. These requests are plainly presented to the user at app install time, and the user has to approve them or abort the installation.

Almost without fail the user gives approval for the app to access virtually every aspect of the device, just to get the app to install. That's if the user even pays attention to the permissions being requested, many don't particularly care. They just hit the button and get on with the app installation.

I am as guilty of this as anyone even though I am usually very careful with my online activities. I take care not to do anything, desktop or mobile, that risks exposing my information or systems to potential bad guys. But like far too many careful people, I admit to installing apps without understanding fully the implications of the permissions the app is requesting. I just want to get on with using the app and hit the button to make that happen.

This is especially the case if an app is being discussed online by people I trust. Obviously they felt comfortable enough to install the app even it they wondered why it needed permission to change user data, so why should I worry? So I hit the button and install the app, never thinking again what it might be doing behind the scenes.

It doesn't help that the Android permissions are not well defined to the user. Just look at the permissions in the screenshot above. Some of the permissions granted to the app don't fully explain what it is doing with the system or my data. That should raise a flag but I installed the app anyway.

Those are the permissions that the Twitter app requested of the system (and me at install time) to run. Yes, Twitter can read and write to my personal contact data and can use my credentials for any account on my system. Worse, it can delete my entire USB storage contents, because I told it that's OK.

Sure Twitter is a well known service so it's no problem. But think back to when Twitter was just getting started. The Twitter app was asking for those permissions then, too, and we were all saying OK. The fact is unless an app is questionable to begin with we are all just going to approve any permissions it asks for. We want to get on with using the app and that's that.

It is bad for apps to do things behind the user's back, so asking permission should be mandatory. Even if that happens, we are our own worst enemy and we'll end up approving just about anything it wants to do, even if it sounds fishy.

The next time you install an Android app, pay particular attention to the permissions it is asking you to give it. If is indicates it wants permission to send/receive MMS/SMS messages, ask yourself if that's appropriate for the type of app you are installing. If not, nix the install and get rid of it. Most scams make money through expensive MMS/SMS messages, and most have been given permission by the user to do so up front. Take control over your device.


Editorial standards