Mobile apps are a privacy nightmare. Some apps are constantly connected to the Internet, and can upload your personal data--such as your private photos or documents--to a remote server without your knowledge or consent. While iOS users can generally depend on Apple's app-curating process to keep their data safe, Android users pretty much have to fend for themselves, left to rely on a cryptic system that doesn't seem to be working.
How Google's Permission System Works
Whenever you download an app from Google Play (the store formerly known as the Android Market), you see an alert that explains what information that app will be able to access once you install it on your phone; for instance, the alert will indicate whether the app needs to access your contacts list, or connect to the Internet. An app cannot use any part of the phone that it does not have permission to access, and the developer sets these permissions when it first submits the app to the Play store.
The Problem With Permissions
While the providing of this information is a good idea in theory, it doesn't work so well in reality. According to Joe Keehnast, a product manager for Norton, very few people actually look through an app's permissions before installing it.
Even if you were to read through the alert, you may not come away with much information: The permissions list can be extremely unclear and unhelpful. An app can request permission to use my network connection, for example, but I'm never sure what it's actually using that connection for. Some security apps, such as Lookout Mobile Security, feature "privacy advisors" that can give you a little more detail as to why an app would request certain permissions. At best, however, that is a workaround for a larger problem. Even with the extra information from security apps, you never see explicit details as to why, say, a browser app wants access to your phone's SMS function.
Confusion aside, the permission system as it is currently designed just does not work. In late February, the New York Times demonstrated an inherent flaw with the Android permission system by building an app that was able to access photos stored on an Android phone and copy them to a remote server. To accomplish that, the app needed only permission to access the Internet.
According to Google, the problem stems from the fact that it originally developed the permission system to work with devices that stored photos on the removable memory card. Now that phones store photos on the built-in storage, Google's permission system no longer works as the company originally intended.
What to Look For
Though app permissions are by no means clear, you can look for a couple of red flags. Almost every app asks for access to the Internet (usually for ads), but very few should request permission to access your phone calls or your messages. A malicious app with permission to make calls or send messages can cost you big by dialing certain phone numbers or by sending out premium text messages without your knowledge. The only apps that should have access to your phone calls or text messages are security apps and communication apps such as Google Voice. If a game asks for permission to access your text messages, do not download it.
Some app developers will list what their programs use each permission for. The developer of the Any.Do task-managing app, for instance, has a FAQ page that explains each of its requested permissions. It's really helpful to be able to see why an app needs access to your contacts or hardware controls. If an app developer doesn't explain why it is requesting certain permissions, send the developer an email; the Google Play app gives you each developer's basic contact information, and you can drop the app creators a line in case you have any questions. If a developer doesn't respond, and you can't find anything more about the developer or the app online, avoid them. It's better to forgo an app than to install it only to find out that it has taken over your phone.
It should go without saying, but the situation needs to change. Google must revamp the permission system so that it is easier to understand, and app developers have to clearly explain what their apps can access--and why. But until that day comes, it's important for you to keep questioning whether each app really needs access to all parts of your phone.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.