Your mobile devices, including your iPhone or Android phone, contain a treasure trove of information about you. From personal details like where you bank to private messages and other confidential information like medication reminders or your location history, our phones know everything there is to know about us.
In recent years, Apple and Google have improved the privacy controls baked into iOS and Android. These can be used to limit the amount of personal data an app has access to at any given time.
iOS 14, and Android 11, both recently released, now have a number of new changes that make application privacy permissions much more granularized and personal. However, it can be daunting to understand how to use and manage them. Let's quickly review the main controls now, so you can get the most out of security and privacy on your mobile device.
iOS 14 and iPadOS 14
Application Privacy is accessed in iOS (and iPadOS) by going into Settings > Privacy.
Privacy in iOS is grouped under Location Services or Tracking (which is a new addition in iOS 14). There are also specific application privileges assigned to specific System Services.
Location services use GPS, Bluetooth, crowd-sourced Wi-Fi hotspots, and cell tower locations to determine your approximate location. Many apps can query any or all these things and send this data back to the application's cloud servers. For some applications, you need this to function at a basic level, such as for navigation or transportation apps like Google Maps, Apple Maps, Waze, Uber, and Lyft. Others such as Yelp and food delivery apps like Postmates or Grubhub need this data to serve you relevant businesses in your proximity. Yet others, like Facebook, use this data not just to serve you geo-relevant information but also to monetize it for their own gain.
Location services can be enabled on an app-by-app basis, or it can be disabled entirely. For each application, you can select:
Never prohibits applications from using Location services.
Ask Next Time requires applications to prompt every time they need to use location services, and permits you to choose "allow once" when the app requests location data.
While Using the App allows applications to use location services when the program itself is in use in the foreground.
Always allows the app to have access to location services if it is in the background or quiesced.
Tracking (which is a new feature as of iOS 14) is either enabled or disabled via "Allow Apps to Request to Track." This lets them use an identifier, which can be used to combine your activity across apps and websites that an application developer may use. If you disable this, some functionality and integration might not work.
System Service level privileges are also assigned on an application basis for your contacts list, calendar, reminders, Photo Stream, Bluetooth, network, microphone, speech recognition, camera, Health counters, research sensors, Homekit, media, files, and motion/fitness. All the specific system services that are accessible for each app can be found within the settings menu for each app in the Settings application/icon itself. So, for example, Facebook's access settings are under Settings > Facebook.
Users of iOS 14 may notice a new prompt by the Facebook app to access the Local Area Network. This is one of the few iOS apps that make this request, and it isn't required in order for the app to function.
In addition to denying this in a new prompt that the Facebook app is initiating, this can be disabled in Facebook's individual application settings:
Additionally, new in iOS 14, precise location can be toggled on or off in an application's access settings. If you only want Facebook to have a more generalized understanding of where you are located (such as at a town or city level), versus precise GPS coordinates, it can be done in the settings for that app, as shown in this screen, located in Settings > Facebook > Location.
Most of the access to system services work using a toggle of allowing/disallow -- except Photostream, which, under iOS 14, can now be Selected Photos, All Photos, or None. Selected Photos permit you to choose specific images that an application has access to, and if you want to add more photos, you'll need to restart the App to select more.
Additionally, the list of Health counters, which applications can have access to, are listed under Privacy > Health. In this menu, you can find a list of apps that query specific health counters, and you can permit or deny each of these as needed. This menu also lists various Research studies that you may be subscribed to by Apple Research if you are participating in any and what specific Health counters are being read.
There are also settings for Analytics and Improvements and also Apple Advertising.
There are multiple toggles under Analytics and Improvements, which are all telemetry type settings for Apple itself so that it can improve its products. Turning these off does not degrade your personal experience; the metadata that is collected is anonymized for such things as improving Siri's accuracy and understanding how you use Apple's products so it can prioritize its software development. Similarly, Apple Advertising is used to personalize ad suggestions when using the App Store or other Apple apps that can serve you ad content from its advertising network.
Android 10 and 11
Privacy settings for Android are typically found in Settings, usually under a Privacy section, similar to the way it is implemented in iOS. The location of this menu varies because each Android device maker makes its own UX tweaks. Normally, you can just search the Settings app for "Privacy" to find the right spot. You'll notice in the screenshot below Location is a separate menu from Privacy.
The Permissions Manager section is where you'll find every system service that an application can request access to and that you have to approve access to -- this includes location, camera, storage, phone, microphone, contacts, SMS, call logs, calendar, and others. You can go through each section to view which apps have requested access to that particular data and view whether or not you approved or denied its access.
Some apps on Android ask for Accessibility Special Access, giving them broader access to your data. For example, using 1Password and its ability to fill in passwords or forms in apps means you'll need to grant it full accessibility special access. This also includes apps that need to do video overlays on top of other applications, such as the Chat Heads feature of Facebook Messenger.
Depending on which Android device manufacturer you have, the Special Access menu may be located in any number of areas on your device, but it can frequently be found in Settings > Apps > Menu > Special Access (especially on Samsung devices). On the Pixel's implementation of Android 11, it is located in Settings > Apps and Notifications > Special app access. On other devices and older versions of Android, it might be located in Settings > Apps > Apps > Triple Dot menu button > Specialaccess. It can also be found if you search on "Special" in the Settings menu and choose Special access.
The first time you open an app, you're almost immediately asked to grant several different permissions. Pay close attention to these requests! You don't have to grant any of them, and for things like location, you can select to allow the app only to have access:
All the Time
Only when using the App
If you'd rather view your permissions for each app, open Settings > Apps (on some devices, there's another layer of Apps below that, or it might be under Settings > App Management > App List or similar). Tap on the app you want to view, then change any of its privacy category settings.
As with iOS 14, Android 11 is adding new privacy controls, too. Specifically, users will have more control over their data and can even grant one-time access to your microphone, camera, and location. Another cool privacy feature in Android 11 is that, if the phone detects you haven't used an app for a while, it will automatically reset all of its permissions. The next time you open the app, you'll need to approve its permission requests once again.