How To Manage App Permissions
“Hey @Aeromexico, why are you trying to use my cell phone camera?” With this tweet, the British journalist Duncan Tucker asked the airline a few weeks ago why he had tried to access the phone’s camera when, in addition, he had the relevant permission deactivated. Virtually all applications in the market collect user data and have access to certain permissions. But on many occasions, the user escapes when the applications use them and if they do so legally. Is it possible to know when an application accesses the camera, photos or microphone of a mobile phone? Here are some tips to manage app permissions.
Javier Tallon, the member of the Computer Security and Defense Group of the Council of Computer Engineering Colleges, explains in reference to the case of Tucker that access to the camera by the Mexican airline could be lawful in some situations. For example, in the case that it was being used to read banknote codes. But, judging by the journalist’s tweet, the application tried to access this permission at a time when it did not apply.
Tucker discovered the intentions of the Mexican airline because he had activated the “app permissions monitor” on his smartphone. It is a function only available for some Samsung terminals that allows you to give permissions on demand to each application and know when it is used of them. “Receive notifications when applications that are running in the background use the permissions you have selected,” it is reported when you activate the function in the phone settings. In addition, all this activity is recorded in a history that the User can review at any time.
The permission monitor, in this case, alerts the intention and not so much of the execution, according to Tallón, who is also co-founder and technical and operations director of JT sec Beyond IT Security : “We can think that, when dealing with the application of using the camera, the permission monitor detects that there is suspicious behaviour and launches the alert. However, the application was never able to access the device’s camera because the permission was deactivated. ”
What information does each app permissions
Normally, a user can know the list of permissions that an app needs to work at the time of installation. The apps usually ask the user for an average of between three and four permits, according to Tallón. The most requested permissions, he says, are access to user files, the device’s camera and location services. And the applications that tend to request the greatest amount of permits are those related to social networks and online shopping.
“Once the application is installed, we can know the first time you use each permit since it will request its execution from the user,” explains Ismael Morales, member of the ITC and Defense Security Group of the CCII and technical cybersecurity manager at Wellness TechGroup. Then, the applications will not need the user’s consent each time they use the previously accepted permissions: “From this point on, the user no longer knows when the applications make use of the permissions.”
In fact, the Tucker mobile feature is only available on some Samsung mobiles and is not common in other terminals. “It is difficult for an ordinary user to know what information an application or the device itself has access beyond permission control,” says Tallón. To protect themselves, the experts consulted recommend installing only the apps that are really needed and check before doing so if the requested permissions can be abusive. Morales advises that in the case of having several alternatives when installing an application that offers the same functionality, it is preferable to install the least permissions that we consider abusive to request.
ICSI researcher Serge Egelman explains that there are many websites and tools that show what permissions are requested by an application, but do not report whether those permissions are actually used in practice or the precise time at which they are used: “Know that a permit is not the same as knowing that it was actually used. ”
To detect what permissions an application uses and at what time it does, as noted, the operating system must be modified. He has done it with a group of researchers and created AppCensus, a company that is responsible for verifying the behaviour of different Android apps. “For several years, we have been building our own customized version of Android that includes instrumentation to monitor application access to personal data. Because this requires modifications to the operating system, it cannot be done in an application that is installed from the Play Store, ”he says.
AppCensus provides on its website information about the behaviour of different apps in the market so that the user can know what data they access and if they are shared with third parties. It is, according to Egelman, one of the few ways for consumers to understand the privacy implications of the applications they use. ” He emphasizes that before there were only two ways to know: read privacy policies and examine network traffic. “We all know the problems with privacy policies. They are ambiguous, time-consuming and difficult to read. Secondly, expecting the average user to monitor and analyze network traffic is simply absurd, and it means that by the time it detects bad behaviour, it has already passed, ”he adds.
Joel Reardon, an associate professor at the University of Calgary and another of the AppCensus architects, questions the usability of a tool that constantly informs the user that an app will use his permission. For him, it would be useful if the user could, for example, deny access to the location, microphone or camera when the terminal screen or audio was turned off.
Both Egelman and Reardon emphasize that some applications look for ways to access certain information even if the user has explicitly denied permission. Both have participated in an investigation carried out by a team of cybersecurity experts, which has revealed that up to 12,923 apps have found a way to continue collecting private information despite having explicitly denied them permits. The number of potential users affected by these findings, they say, is “hundreds of millions.”
TIPS TO PROTECT YOURSELF AS A USER
Application developers and even terminal manufacturers frequently collect user information without their consent. This is stated by Tallón, who points out that there is a considerable difference in the quality of smartphones from different manufacturers: “Although, the tendency is to think that the best-known manufacturers are the most reliable, it is clear that the traffic of information from users to large scale is a very lucrative business and in which, most likely, most of the big companies in the world of smartphones participate. ”
Therefore, he points out that the idea is to try to use devices whose safety has been verified and certified by professionals from the independent sector of the manufacturers.
For his part, Morales warns that “one of the weakest points of a smartphone is the charge of it.” As he explains, there are cables to charge the mobile that does not allow the exchange of data when, for example, the mobile is connected to a computer. “In this case, one of the main measures is to try to avoid charging mobile phones with a cable that is not exclusively for charging in public places,” he says.