Tested 50 popular Android apps: ask for too many dangerous permissions
September 2024 by Cybernews research team
The Cybernews research team investigated 50 of the most popular Android apps. The results show that these apps threaten your privacy by requesting too many dangerous permissions. According to the data presented by the researchers, communication and social apps such as WhatsApp, Facebook, and Instagram are some of the most data-hungry apps.
There may be 41 “dangerous” permissions that could affect user privacy or core phone functions. The Cybernews research team has discovered that a user’s location, files, or camera aren’t enough for many top Android apps, which require 11 dangerous permissions on average.
Which apps ask for the most dangerous permissions?
According to the research, the MyJio app, which offers payments, cloud storage, TV streaming, and other services, requests permissions that check almost all the boxes: location, activity recognition, radios, camera, microphone, calendar and file access, and others. In total, the app asks for 29 permissions, claiming the number one spot in the list.
WhatsApp takes second place, requiring 26 permissions. Many Android phones include the Truecaller: Caller ID & Block – a caller ID checking and spam call blocking app. It asks for a total of 24 dangerous permissions.
Google Messages and WhatsApp Business are next, requesting 23 dangerous permissions each, followed by social networks Facebook (22) and Instagram (19).
On the other hand, one app – Among Us, a multiplayer game – required zero dangerous permissions. Candy Crush Saga, 8 Ball Pool, and other popular gaming apps often only asked for 1 or 2 dangerous permissions, mostly for pushing notifications. However, fewer permissions don’t necessarily mean the app is safer.
The most requested permissions
Almost all analyzed apps (47) ask users for permission to post notifications. While this permission might seem innocuous at first glance, it can be exploited in several ways.
“The simplest exploit of notifications, often abused by malicious apps, is to bombard users with unwanted ads, phishing links, or even misinformation. However, due to the implementation of this system, notifications were previously exploited by commercial spyware vendors for tracking users,” said security researcher Mantas Kasiliauskis.
The second most dangerous permission requested is access to storage outside the app’s directory. In total, 40 apps ask permission to write and 34 to read files from external storage. This means they could access an ID picture that you stored on your device.
“These permissions are essential when you need to upload media to your profile, share stories on social media, store photos or videos. Without them, Instagram can’t access your photos, your messaging app can’t save documents, or your photo editing app can’t store your creations. However, these permissions are also considered high-risk. The app should clearly explain why it needs this access to user data,” Kasiliauskis said.
Malicious actors could exploit access to storage to exfiltrate or compromise files, such as photos, videos, documents, and other private information.
Access to the camera and recording audio are the next most requested permissions, with 33 apps asking for them. Camera access is integral to some apps’ functionality, allowing them to capture and share photos. Recording audio is required to provide voice messaging and other features. Those could also be abused by malicious actors, spies, and even advertising companies trying to target their ads better.
The “Get accounts” permission, requested by 27 apps, allows streamlined sign-in with Google and account syncing. However, malicious actors have abused social login features in the past to hijack accounts.
More than half (26) of the apps would also like to track precise (fine) location, meaning they can pinpoint user location within a few meters (10 feet). The same number of apps want to read contacts.
“Tracking your whereabouts is highly sensitive and invasive. While it is essential for location-based services, such as Google Maps, many other apps and games ask for a fine location simply because this data is valuable to advertisers to deliver personalized ads,” Kasiliauskis said.
“The same can be said for reading contacts, as those often include sensitive personal information, including phone numbers, email addresses, and names.”
Out of 50 apps Cybernews analyzed, 22 want “Bluetooth connect” access, meaning the app can pair with devices and potentially exchange data with them. Twenty-two apps also ask to read your phone state.
“This is a particularly sensitive permission, granting access to critical information about the phone’s state and its interactions with the networks, such as phone number, current cellular network information, ongoing calls, and unique ID of the device,” Kasiliauskis said.
Communication and social apps are most hungry for data
Of the 50 apps analyzed, nine belong to the communication category, and five are social networks. These categories were the most data-hungry. Communication apps requested an average of nearly 19 permissions, while social apps averaged 17.2 dangerous permissions.
All communication apps access cameras and files – most record audio, track location data, read contacts and phone state and get accounts.
“Permissions can be justified when they relate to core functionalities like messaging, voice, and video calls. The lines start to blur when an app asks to manage calls, access phone state, and precise location without clear benefits,” the researcher said.
Even for reputable apps, Kasiliauskis suggests avoiding granting permissions for reading call logs and contacts if not necessary.
Games ask for fewer permissions, but are they all truly necessary?
The analyzed list includes 19 gaming apps, which averaged only four dangerous permissions per app. However, the discrepancies among them are considerable, with some requiring a dozen permissions and some – zero.
Most of the games (16) want to post notifications. Ten games will ask permission to write data to external storage, and nine wish to read the data.
Eight games ask permission to record audio, and seven will try to access the camera. Some games even ask to write to the calendar (3), read phone state (3), and access fine location data.
Among the analyzed games, Mobile Legends: Bang Bang (12 permissions), PubG Mobile (11), and My Talking Angela (7) were the most data-hungry.
How many permissions does a shopping app require?
Shopping apps request an average of 13.4 dangerous permissions. While Lazada and AliExpress require 16-17 permissions, Wish only needs seven. All apps will ask to access the camera and fine location, post notifications, and read and write to storage. However, only some will ask for Bluetooth access, record audio, and read phone statements, calendars, and contacts.
“Excessive permissions, such as access to phone state, audio or contacts, are not essential for shopping, but pose significant privacy risks if misused,” Kasiliauskis noted.
Methodology
The Cybernews research team selected 50 of the most popular apps on the Google Play Store and analyzed their Manifest files to determine what dangerous permissions the apps are requesting. Every Android app has a Manifest, which is a rule book telling the device what the app can access. In total, there may be 41 “dangerous” permissions that could affect user privacy or core phone functions.