Communication and social apps such as WhatsApp, Facebook, and Instagram are some of the most data-hungry apps. There may be 41 “dangerous” permissions that could affect user privacy or core phone functions.
This finding comes from Cybernews who has investigated 50 of the most popular Android apps. The results show that these apps threaten privacy by requesting too many dangerous permissions.
The worst offender was found to be the MyJio app, which asks for 29 permissions. The MyJio app offers payments, cloud storage, TV streaming, and other services. The app requests permissions that check almost all the boxes: location, activity recognition, radios, camera, microphone, calendar and file access, and others
WhatsApp takes second place, requiring 26 permissions. Google Messages and WhatsApp Business are next, requesting 23 dangerous permissions each, followed by social networks Facebook (22) and Instagram (19).
In contrast, the game app Among Us required zero dangerous permissions. Candy Crush Saga, 8 Ball Pool only asked for 1 or 2 dangerous permissions, mostly for pushing notifications.
Overall, communication and social apps are most hungry for data: communication apps requested an average of nearly 19 permissions, while social apps averaged 17.2 dangerous permissions.
Shopping apps request an average of 13.4 dangerous permissions, and AliExpress requires 16. Furthermore, all shopping apps will ask to access the camera and fine location, post notifications, and read and write to storage. Excessive permissions, such as access to phone state, audio or contacts, are not essential for shopping, but pose significant privacy risks if misused.
Almost all analyzed apps (47) ask users for permission to post notifications. While this permission might seem innocuous at first glance, it can be exploited in several ways.
“The simplest exploit of notifications, often abused by malicious apps, is to bombard users with unwanted ads, phishing links, or even misinformation. However, due to the implementation of this system, notifications were previously exploited by commercial spyware vendors for tracking users,” security researcher Mantas Kasiliauskis tells Digital Journal.
The second most dangerous permission requested is access to storage outside the app’s directory. In total, 40 apps ask permission to write and 34 to read files from external storage. This means they could access an ID picture that you stored on your device, Kasiliauskis explains.
“These permissions are essential when you need to upload media to your profile, share stories on social media, store photos or videos. Without them, Instagram can’t access your photos, your messaging app can’t save documents, or your photo editing app can’t store your creations. However, these permissions are also considered high-risk. The app should clearly explain why it needs this access to user data,” Kasiliauskis details
Further, Kasiliauskis finds, malicious actors could exploit access to storage to exfiltrate or compromise files, such as photos, videos, documents, and other private information. Access to the camera and recording audio are the next most requested permissions, with 33 apps asking for them. Camera access is integral to some apps’ functionality, allowing them to capture and share photos. Recording audio is required to provide voice messaging and other features. Those could also be abused by malicious actors, spies, and even advertising companies trying to target their ads better.
The “Get accounts” permission, requested by 27 apps, allows streamlined sign-in with Google and account syncing. However, malicious actors have abused social login features in the past to hijack accounts.
More than half (26) of the apps would also like to track precise (fine) location, meaning they can pinpoint user location within a few meters (10 feet). The same number of apps want to read contacts.
“Tracking your whereabouts is highly sensitive and invasive. While it is essential for location-based services, such as Google Maps, many other apps and games ask for a fine location simply because this data is valuable to advertisers to deliver personalized ads,” Kasiliauskis observes.
Kasiliauskis adds: “The same can be said for reading contacts, as those often include sensitive personal information, including phone numbers, email addresses, and names.”
Twenty-two apps also ask to read your phone state. “This is a particularly sensitive permission, granting access to critical information about the phone’s state and its interactions with the networks, such as phone number, current cellular network information, ongoing calls, and unique ID of the device,” Kasiliauskis warns.