Facebook got into hot water recently after two separate discoveries that it grossly violated privacy through the data-collection practices of its mobile app. First, TechCrunch found that Facebook paid users to share very sensitive data via a “research” app that had root access to network traffic. The app collected data such as apps installed on the device and how and when they’re used, and browsing activities including encrypted content.

Then, shortly after, the Wall Street Journal revealed how various third-party apps shared their collected sensitive information with Facebook. The apps — among them health apps, as well as popular apps with millions of users — transmitted the highly personal information unbeknownst to users. In one case, the app even stated in its privacy policy that it didn’t share the data with a third party.

Unfortunately, these kinds of consumer privacy incidents are not unique. Mobile app developers are becoming more audacious, both with the permissions they request and with the creative ways to circumvent the few safeguards that exist, such as app stores’ privacy policies for developers.

Even when the intent of the developers is to provide certain convenience and usability, consumers need to be more proactive in what permissions they delegate. It may get a bit tedious but spending a little time to understand app permissions can help individuals control their own privacy a little more, rather than entrusting it to app developers.

What you can do to protect your privacy

You can’t outsmart clever app developers. Someone will always push the envelope with either ridiculous permissions they don’t need or sneaky access without user knowledge. But a few steps can help you limit what you authorize.

Here’s what you can do, in a nutshell:

Get acquainted: Take the time to walk through the app permissions you already gave. Find an online tutorial if you don’t know how. Look for red flags, like access that doesn’t seem related to an app’s functionality.

Snoop around: An obscure permission doesn’t automatically mean it’s not legit. Before you turn off something questionable, do some snooping. Check if the app description in the app store or on the developer’s website explains why it needs this permission, or don’t be shy to contact the developer directly.

Check your sources: There’s a debate about whether third-party stores should be completely avoided. Some third-party app stores are reputable and have strict guidelines, while plenty of malicious or privacy-invading apps make it to the official platform app stores.

But if you prefer a safer bet, stick with the Apple App Store and Google Play — they at least have strict development criteria and try to ensure safer apps. (Whether they’re succeeding is a debate for another time.) If you do decide to venture out and download apps from unofficial stores, an act known as sideloading, make sure to check the reputation of the third-party site and the developer.

Be doubly careful about the apps you install and watch out for red flags like a very high number of downloads in a short release window. This could be a sign of fake downloads.

Read up: People who love to read privacy policies are a rare breed. As painful as it may be to get through all that legalese, it’s one way to know how your collected data will be used. Of course, as some violation incidents have shown, that’s not a guarantee (as the Wall Street Journal reporters found). But it’s another place to look for red flags.

Navigating through permission requests

How you give permission varies for different OS versions. For example, with newer versions of Android, you won’t be asked for them at install time, Instead, when an app needs access to a certain feature, like your camera or location, for the first time, you’ll get a popup window requesting the permission, with a short explanation of why it needs it.

Unfortunately, those explanations don’t necessarily cover the full extent of how that access will be used, or the data collected as a result. Take a weather app. A request for location data is legit at face value — so you can get weather info for your area — but that location data could also be shared with third-party advertisers.

Once you’ve given permission once, you won’t be asked again. So if you change your mind later, you’ll have to dig through the app permission settings to revoke it.

Developers don’t get very detailed in their explanations, so how do you know if disallowing something will impact the functionality of the app? There’s no straightforward or easy answer. If in doubt, deny the permission and see what happens — you’ll know if the feature is essential because your app won’t do what you want.

Using the weather app example, you can deny access to location data and instead use your ZIP code if the app has that option. If it doesn’t, you can always look for a different weather app.

The best thing to do is to consider which permissions may be risky and be selective which apps you give access to those features. Some apps want excessive access in exchange for limited benefits, so it’s prudent to question whether the specific permission makes sense.

These are the risky permissions, according to Symantec:

  • Location tracking
  • Camera access
  • Audio recording
  • Phone logs access (read)
  • SMS messages access (read)

Here’s what some of these permission mean:

  • Location tracking: The app can determine where you are based on your GPS and cellular and Wi-Fi network sources
  • Camera access: The app can take photos or videos any time, without asking for confirmation
  • Audio recording: The app can use your microphone and record audio without your confirmation
  • Read phone logs or SMS: The app can access call history and read text messages (SMS access could also mean sending texts in some cases)

A request for one of these permissions could be perfectly safe — the point is that you should be more cautious about it and decide whether you trust this particular app developer with this type of access. The other consideration is whether the developer is using security when accessing and transmitting your private data, so that it doesn’t fall into nefarious hands.

Security Awareness

Safest bet: ditch it

There’s no such thing as a free app — some just happen to use personal data as currency. Many of us tend to get excited about cool apps that promise to make our lives easier, better, healthier, happier or any other quality you care to name.

It may sound simplistic, but the easiest way to protect your privacy is by being highly selective of the apps you choose. Before every download, ask yourself: is this app worth giving up more of your private life?

 

Sources

  1. Facebook pays teens to install VPN that spies on them, TechCrunch
  2. You give apps sensitive personal information. Then they tell Facebook, Wall Street Journal
  3. How game apps that captivate kids have been collecting their data, The New York Times
  4. How to control your app permissions, Popular Science
  5. To stay safer on Android, stick with Google Play, The Parallax
  6. Mobile privacy: What do your apps know about you?, Symantec
  7. What are app permissions — a look into Android app permissions, Wandera