The Next Web’s Ben Woods noticed the hugely excessive number of access attempts this week. The reworked permissions model in Android M Marshmallow allow users to see exactly how many times an app accesses a specific hardware or software feature as part of its more detailed control set.
Most Android apps will request access to some extra permissions when they are installed. They could range from using the microphone and camera to being able to control system functions. More often than not, these permissions must be granted so all the app’s features can run but the prompt at install time provides an easy gate-keeper approach to security.
The system is implemented as an early warning system for anything that looks suspicious. If a simple clock or stopwatch app requests access to your messages and network then that may be a sign that in the background it is doing something rather more sinister than displaying the time.
WhatsApp’s extensive feature list means it requests a lot of Android permissions. They include Wi-Fi information, microphone, camera, media and storage access, the ability to monitor location, messages and phone calls and, importantly in this instance, the privilege to access a user’s contacts.
Most of those permissions are infrequently used. Woods’ screenshot shows location was accessed 26 times during the 7-day period, a reasonable-sounding figure that amounts to around three requests per day while using the app. However, 23,709 reads of his contact list is less explainable, even by WhatsApp itself.
The company didn’t respond to Woods’ “multiple” requests for comment in the past week when asked why its app looked at his contacts 3,387 times a day on average. That’s twice per minute every day, even when the app isn’t open.
It isn’t at all clear why WhatsApp is using the contacts list so frequently. Woods speculates it could be polling the entire list every time the app is opened or a message is received or sent. It could even take another look whenever a contact comes online to cross-reference them with your local list. Even with all of these factors considered, 23,700 requests in a week still seems to be an excessively large number.
The large number of reads are likely to impact on more than just privacy. Each time it takes another look, the phone is having to do work and use up battery power, even when it is locked. Ordinarily, this wouldn’t be too great an issue but it all adds up when one app is using one feature 3,300 times a day. Woods notes that rival messaging app Facebook Messenger hasn’t used a single granted permission during the same seven-day period.
Because WhatsApp is a respectable app used by 900 million people worldwide, it can be assumed it isn’t intentionally acting maliciously here. The issue could be caused by a bug that is making it read the contacts list more often than it should but it’s hard to tell when the company has consistently refused to comment on what appears to be a very reasonable question.
