Users in Dark about Permissions Granted to Mobile Apps

A report from the UK’s ICO says that permissions given to mobile apps often far exceed what’s necessary, and that privacy policies are hardly apparent to users downloading apps.

It’s no secret that mobile applications are a greedy bunch, often grasping for many more permissions than necessary.

The UK’s Information Commissioner’s Office (ICO) this week released the results of a study conducted by the Global Privacy Enforcement Network (GPEN) that quantified just how bad the problem is and spanked mobile app developers in the process.

The results are a compendium of research conducted by privacy entities in 19 countries. More than 1,200 popular applications were assessed, including most of the top 50 downloaded apps. And the conclusion was pretty conclusive: Most apps (85 percent) do not explain in clear language to users what information is collected, how it’s collected, nor how it’s used and disclosed. More than one-third, meanwhile, ask for excessive permissions such as access to the phone’s location data, device ID, camera, microphone, contacts and more.

Even less transparent to users, the results revealed, is the availability of a privacy policy.

Even less transparent to users, the results revealed, is the availability of a privacy policy.

“Mobile devices often have small screens, typically with touch-based interfaces. This can make it more challenging for apps to effectively communicate with app users,” the report said, adding that 43 percent of apps failed to make a policy small-screen friendly. “Consumers’ expectations of convenience can make it undesirable to present a user with a large privacy policy, or a large number of prompts, or both.”

And that goes for apps that bothered to present a privacy policy if so desired; 11 percent of the apps studied did not.

For those who did, the ICO provided guidance for app developers, suggesting they use plain English to describe to users what happens to their personal information and why it’s being requested. It also suggests audience-appropriate language, and the presentation of relevant privacy information before the app is downloaded and installed.

Excessive permissions, meanwhile, have been a thorn in the side of mobile security for some time. The U.S. Federal Trade Commission in May came down hard on more than a dozen health and fitness apps that were sending users’ personal information to 76 different third-party sites. Not only were the apps relaying device data, but also physical metrics and characteristics that the user was unaware of.

Rogue and malicious Android applications also are sneaky about tricking users into agreeing to excessive permissions upon installations. The consequences in those cases, however, can lead to financial fraud or unwitting participation in a botnet.

Often, users are given an all-or-nothing choice during installation about the permission and access they grant to applications; the ICO hopes developers provider users with more granular choices.

“Allow your users to easily review and change their decisions once the app is installed and in use,” the report suggests. “Give them a single and obvious place to go to configure the various settings within the app and give them privacy-friendly defaults. It should be as quick to disable a setting as it was to enable it.”

Suggested articles

Black Hat USA 2019 Preview

Threatpost editors discuss the top trends, keynotes and sessions that they look forward to at Black Hat USA and DEF CON 2019.

Discussion

  • Brian m on

    Nothing new here! The whole concept of pre-authorising permissions in Android was wrong. Permission should be requested as the application needs access, with option to always allow which is then logged or flagged up. That would make people think why does a compass application want access to my email!
  • Dave F on

  • Dave F on

    Sure. Flashlight apps are notorious for this – http://appsecnotes.blogspot.com/2012/11/the-audacity-of-your-flashlight-app.html. Agree with Brian’s comment that just-in-time permission makes a lot more sense.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.