App permissions: How to use your phone's first line of defence

App permissions: How to use your Android phone’s first line of defence

Apps dominate our smartphone use, and for good reason. Without them we wouldn’t be able to play the latest games, organise our lives or enjoy the best of social media.

We know that malware targets phones that are under-secured. But apps are so ubiquitous that most of us will download them without a second thought.

And if you allow an app full access to your phone contacts, allow it to change passwords or alter system settings you’ve effectively unlocked the back door and invited hackers in to play havoc with your life.

More: Faketoken Android malware hijacks audio, steals credit card info

In this guide, we look at the thorny subject of the app permissions and how to avoid the pitfalls that could leave your phone vulnerable.

The app market has grown enormously in the last few years. There are around 2.8 million Android apps to choose from, while 2.2 million are available on Apple’s App Store.

Clearly, we love our apps. But, if you’re not careful they can become a digital nightmare, infecting your phone and stealing your data.

What are app permissions?

When you install an app from Google Play Store, you’ll get a pop-up listing all the permissions that the app requires, things such as access to your storage, phone calls, contacts and network communication.

The app needs these to interact with your smartphone.

It is worth knowing that app permissions aren’t requests, they’re demands – refuse the permissions and the app will not work as intended.

In reality, you have little option if you don’t agree with the permissions it wants, other than not installing. It’s usually common sense. If you don’t feel safe, we’d recommend you (digitally) run a mile. You don’t actually have to do any running, happily, but you should stop the download and delete the app.

It is also worth knowing that while Apple’s App Store has stringent criteria for apps to get in, Google’s Play Store is relatively lenient. So as an Android user it is especially important to understand the permissions being demanded by the app.

It’s less likely malware will infect a phone through updates to major, legitimate apps like Facebook or Twitter.

Rule number one

Read the full list of permssions required. It is all too easy to skip through but it can mean the difference between having your data securely on your phone or in the hands of an unscrupulous app developer or hacker.

There are a few permissions that you should be wary of. Not because they’re necessarily dangerous but there could be wide-ranging repercussions if your personal data is leaked.

Rule number two

Be suspicious of apps that requires permissions that are not related to what the app offers. Be especially wary when an app asks permissions like ‘show alerts as system level’ or ‘modify global settings’. Others include ‘interact between users’ and ‘download files without notification’.

More: Android SonicSpy malware found in 4,000 Play Store apps

Again, it is the choice of the devil you know and the benefits from the app. Most apps will include permissions ‘read phone status and identity’.

While this can be for something simple such as knowing when a phone call is coming in so the app can pause itself, your phone identity can include your device’s International Mobile Equipment Identity (IMEI) number. While this permission is often safe, there is huge potential for malware, so exercise caution.

The permission to ‘review and modify your contacts’ could be because the app is looking to suggest new friends based on people you know. But giving an app unfettered access to your contacts’ data could be a personal data nightmare.

A rough guide is that SMS apps, contact management apps, dialler replacement apps and some social media apps may need one or both of these functions. But apps without any social aspect to them should have no reason to demand them.

Rule number three

Be aware of apps that ask for ‘account-related permissions’. One such is ‘use accounts on device’. If this is granted the app will not ask again, if the app is malicious it will be able to do its nefarious business in the background without your knowledge.

‘Create accounts and set passwords’ lets the app authenticate your personal credentials. A malicious app can take advantage to gain passwords by phishing you.

How to add and remove permissions for Android apps

For apps you haven’t downloaded yet

Open the Google Play Store app.
Go to an app’s detail page.
Under Developer tap Permission details.

For apps you’ve already downloaded

On your device, open your main Settings app.
Tap Apps or Application Manager (depending on your device, this may be different).
Select an app.
Scroll down to Permissions.

Staying safe with app permissions

Sadly there is no such thing as being 100% safe with apps. However there are some simple things you can do to minimise your risks.

There is a huge Android community online. Take the time to read the reviews or check out what kind of response is being generated by an app.

There are a number of websites that list and discuss Android app permissions, such as

Be aware that dodgy developers will use botnets to artificially generate five-star reviews, rather than waiting for unhappy users to leave one-star reviews. You can check the language used in five-star reviews and see if there are any similarities.

While Google’s security vetting could be better, they, along with Apple, are the safest and best way to download apps. Resist downloading apps from third-party developers as they are more likely to be loaded with malware.

You can always contact the app developer asking about the permissions. If the reply is unsatisfactory or they don’t reply then it is best to avoid their app.

Our final suggestion is that if you’re suspicious, always abandon downloading the app.

Finally, as with your PC and laptop, always keep your smartphone up-to- date with the latest anti-virus software.

In the end, it comes down to personal choice. But an informed choice will minimise the risk of downloading an infected app or letting a developer abuse your phone’s data and your personal smartphone life.


A veteran freelance journalist writing extensively on internet news and cybersecurity.
Back To Top