HackDig : Dig high-quality web security articles

App permissions – your last best hope for privacy

2015-09-09 06:45

We have written a lot about how companies treat you as an asset. A source of data that can be monetized in a variety of ways. Spotify did recently change their terms and ensured that this topic stays in the headlines. They want to collect information stored on your mobile device, such as contacts, photos and media files. No thanks! My Spotify app plays music just nicely even if it doesn’t have access to pictures and contacts. And their new terms did backfire big time! Spotify’s response: Sorry!

Spotify is not the only one. A lot of companies are dependent on user data, from Facebook and Google to utility developers. So this is really a significant privacy challenge.

But we have privacy legislation. It’s supposed to protect us and set limits for what data Spotify et al can scoop up and how they can use it. Right? Well, that line of defense has unfortunately fallen already. Yes, there is legislation. But it’s your data and you can decide what to do with it. You are free to sign away your rights to it, and that is utilized by many companies. I bet you have signed a lot of user agreements without reading the fine print legalese. That’s where you disable most of the protection the law could have offered.

But there is fortunately a second line of defense, and it’s much stronger. Your Spotify app can only upload data it has access to. Mobile operating systems, like iOS and Android, were designed during an era when we already were aware of the privacy threats. They have several security benefits over desktop systems, but the app permissions is definitively one of the most important. In short, it means that apps you install can’t access everything on the device by default. They must ask for permissions, and you can decide what data and functions a certain app shall have access to. This is your last best hope to keep your private data private. So you better learn the importance of app permissions!

They are fortunately very easy to use. And you have already used them. After installing you almost always get a prompt telling that the new app want permission to do something. The most important advice is to stop and think at this point! Don’t let these app permissions be just another boring thing you click through. Your last line of privacy defense falls if you do that.

Common sense is enough to use app permissions. Just think about what the app is supposed to do. In Spotify I search for music or start a playlist. Neither action is depending on where I am, so the Spotify app has no real need to access my location. An app that helps me call the emergency number is a totally different cup of tea. It can upload my exact location to the operator, and that is as a matter of fact the main reason for implementing it as an app. So it is natural that this app has a legit reason to access my location. And neither of those apps need to paw through my contacts, so any request to access contacts should be denied. This is the kind of thinking you need to learn.

iPhone is currently better on app permissions than Android. Android apps declare what they want and you can review the list before installing the app. That sounds great, but is not so good in practice. The main problem is that it is take it or leave it for you. Your only option is to reject the whole list if you dislike one thing the app want to do, which usually means that the app refuse to install. App developers can sneak in a lot of extra permissions because rejecting the list isn’t a true option in most cases. Android app permissions have actually become just like user license agreements, only a few pay any attention to them.

iPhone is smarter. Apps install without any questions about permissions. But the system asks the user when the app tries to access restricted content. The app can’t pressure the user to grant unnecessary permissions by threatening to not install at all. And the user has granular control over permissions, it’s not take it or leave it. Every sensitive content or service is handled separately. This is clearly a better approach. Actually so much better that the next Android, Marshmallow, will copy this system.

Moral of the story. App permissions is your friend. And you definitively need allies to help protecting your privacy.

 

Safe surfing,

Micke

 

My Facebook permissions. Location is a no-no. And I don't want to shoot pictures from the app. But access to the photos is needed to post shots.

My Facebook permissions. Location is a no-no. And I don’t want to shoot pictures from the app. But access to the photos is needed to post shots.

 

 

Pictures: twitter.com and iPhone screenshots

 

 

 

 

 

 



Source: /ycavirp-rof-epoh-tseb-tsal-ruoy-snoissimrep-ppa/90/90/5102/moc.eruces-f.yvvasdnaefas

Read:530745 | Comments:0 | Tags:Mobile Phone Privacy Android app app permissions apps big da

“App permissions – your last best hope for privacy”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud