App Permissions And Security Explained

November 26, 2021

App Permissions And Security Explained

Android app permissions allow apps to access your phone, camera, microphone, private messaging, conversations, photos and more. App permission requests pop up the first time an app needs access to sensitive hardware or data on your phone or tablet and are usually privacy-related.

Anytime you install an app from Google Play, you’ll likely see an app permission request. For example, a camera app will require permission to access your phone’s camera in order to take photos.

While Apple, And Google update their respective app store listings to limit malicious applications to a certain extent, Symantec highlighted the fact that many apps can compromise user privacy. A new study by Symantec found that many apps on Google Play as well as Apple App Store ask for permissions and have excessive access to users’ personal information.

Symantec has written a series of blog posts detailing how personal information can be gathered by different apps and how fraudulent apps on Google Play include aggressive advertising.

Symantec found that four percent of Android apps and three per cent of iOS apps that requested risky permissions did not have privacy policies. Only a small percentage of apps use certificate pinning at login to protect against attackers intercepting communications that are supposedly secure. Eight percent of Android apps, and eleven percent of iOS apps, were found to lack certificate pinning. It was also discovered that certain apps, even if they have privacy policies, can make it difficult for users to track what consents to. Apps that integrate third-party apps can make things more complicated.

“40 percent of Android apps that need risky permissions have links to third party apps. Either to normal app functionality or they where interrupted by advertisements, or links to third party other apps. this provided disrupts normal functionality (e.g. purchase links to seller websites). Symantec reported that 16 percent of iOS apps that have to be granted risky permissions contain links to third party apps.

Before installing the app, users are advised to review the privacy policies and the permissions. Both iOS and Android offer the ability to delete unnecessary permissions through system settings. Google has made Android’s Permissions option available. This can be found in the Settings menu. You can delete unnecessary permissions from your device by going to Settings, then selecting the Privacy option.

Types of Permissions

Android allows you to categorize permissions into different types. These include runtime permissions and install-time permissions. The type of each permission indicates the restricted data your app can access and the restricted actions your app can perform when granted permission by the system.

Permissions for installation

A list of install-time permissions for an app, which is displayed in an app store.
Install-time permissions allow your app limited access data and allows your app to perform restricted actions that have minimal impact on the system or other applications.

Your phone automatically grants permissions to your app when the user installs it if you have installed install-time permissions. The user will see an app’s details page and receive an install-time permission notice from the app store. Android phones has several types of install-time permissions. These include signature permissions as well as normal permissions.

Normal permission.

These permissions give access to data and other actions beyond the app’s sandbox. The data and actions pose very little risk to privacy and allow for the operation of other apps.
The system assigns “normal” protection to normal permissions as indicated on the permissions reference page.

Signature permissions.

If an app declares a signature authorization that another app has defined and the certificates of both apps are signed, the system will grant permission to the first app at installation time. The permission cannot be granted to the first app if it is not.

Permissions for runtime

A prompt for system permission when an app asks for runtime permission.
Runtime permissions (also known as dangerous permissions) give your app more access to restricted data. They allow your app to perform restricted activities that have a greater impact on the system than other apps. Request runtime permissions from your app to access restricted data and perform restricted actions.

Many runtime permissions have access to private data. This is a special kind of restricted data that can contain sensitive information. Private user data includes contact information and location.
Camera and microphone are given access to this type of sensitive information. The system allows you to explain why your app uses this information.
The system assigns runtime permissions the “dangerous protection level”,.

Permissions for special purposes

App operations require special permissions. Only the OEMs and platform can set special permissions. Moreover, OEMs and platforms often define special permissions as a warning to prevent access to certain powerful actions such as drawing over other applications.
A set of user-toggleable operations can be found on the Special App Access page. Many of these operations can be implemented using special permissions.
Each special permission comes with its own implementation details. You can find the permissions API page with instructions on how to use each permission. Special permissions are protected by the system’s “appop”.

Best practices

App permissions are built upon security features to help devices achieve the following goals regarding user privacy they are:
• Having control over data they share with other apps.
• Transparency The user can understand what data is used by and why the app has accesses to these data.
• Data minimization is the permission only the app have accesses to the data required to perform a task or take an action.

This section outlines a few core best practices to use permissions in your app.
You can request a minimum number of permissions
Your app should only request permissions to perform a specific action when a user requests it.
Depending on the way you use permissions, there may be an alternate way to fulfill your app’s use case.
Associate runtime permissions to specific actions.
As soon as possible, request permissions to your app’s use cases.
If your app allows users send audio messages to other people, wait until they have navigated to the messaging screen, and then press the Send audio message buttons. Your app will then be able to request access the microphone after the user presses this button.

We hope this article gave more understanding.

Posted in blog
Write a comment