I have read that most of us only use 7 to 10 apps on our phones. The vast majority of the time, when we are on our mobile devices, we are using one of our go-to apps. I just counted 57 apps installed on my phone and, honestly, when I just looked to count, I didn’t even recognize a few of them. I am sure there are less than ten that I use regularly. So what are all these apps on my phone anyway? What exactly are they doing there? Of those that I do use, do I really understand what information I am sharing and is it really necessary?
In theory, apps on my device are only doing and seeing what I have agreed to let them have access to. But, if I haven’t been paying attention, if I downloaded a little app to do one simple thing, I may have accidentally given it access to way more than I intended.
Pokemon Go and the Privacy Debate
Before we go any further, might as well address the current, hot elephant in the privacy discussion room…Pokemon Go. This game is absolutely brilliant and has caught on like wildfire all around the world. It is so simple but it is a totally new spin on the classic so many kids (and young adults) grew up with. While our kids, coworkers, and friends are all out trying to “catch them all” security experts stand back and question whether this app just goes too far.
Pokemon Go has been called a “criminal’s present on a platter” and a “wide, attractive threat vector for hackers” because, to play, you must share so much personal information like GPS location plus Google account permissions including access to email, contacts, photos, documents and the ability to post, delete and send things from the user’s account. Niantec is not a nefarious hacking organization, of course, but the question becomes how secure are its servers (which we know are experiencing some troubles keeping up with the load) and what is at risk for users if they experience a breach?
Soon after the app was launched, an update was quickly released to limit the Google information required from full access to “basic” account information. But the app still collects GPS data and location history, has access to the phone’s camera, and still gathers a great deal of personal data (PII) such as birth date, email, social account access, etc.
Pokemon Go and its unprecedented popularity is just an excellent example of the excessive personal data that is gathered by the apps that we use. Even if that access is legitimate – like needing to know your location to tell you where the Pokemons are, we must consider what level of information we are comfortable having on someone else’s servers – and potentially in someone else’s hands.
Grant Only Appropriate Access and Understand Your System’s Permissions Process
Valid but Unnecessary Access
I know that some apps I have downloaded will do a lot more than I intend to use them for. So those apps may ask for permission to access data on my phone there is really no reason for it to access. This is an interesting example – why would this document and photo scanner app request access to my calendar? There may be a good reason, some awesome feature of the app I have never used. This is a handy app but not one I use enough to learn the advanced features.
When some apps ask for excessive permissions, however, it should be a warning sign. In general, apps you find in the Apple Store or Google Play Store can be considered legitimate – but this is not always a safe assumption to make. It is still important to keep an eye on your device’s settings and be sure that you are not oversharing.
On iPhone, it is pretty easy to manage permissions. But remembering and taking time to do it is where most of us fall short. In privacy settings you can see what apps may be able to access on your phone from your location settings to your health information. Within each category is a list of apps with access to that area or feature and you can easily toggle the permission off or on. iPhone makes this easy enough that you can just turn certain permissions on when you need them and turn it off when there is not a real need for that open door to your data.
Why do all of these apps have access to my camera? The good thing is I do recognize all of these apps and I know why it would need to access my camera. But ongoing access even when I am not using the app is certainly not necessary for the majority of them. If anything really off the wall was to show up here, like a game app or something I didn’t recognize with access to my camera, it would be a big red flag.
Nefarious or even bogus apps may be designed just to gain access to a user’s contacts or, for really creepy schemers, even the camera. All of these permissions are worth reviewing periodically even if you are careful about the apps you download.
Apple v. Android v. Windows
Apple apps will always ask for permission at the point of access. For instance, when I first downloaded Scannable and tried to use it to scan a document, it had to ask my permission to access my phone. I do not believe it ever asked my permission to access my calendar. I never gave it that permission so it is not green in the screen shot above but, because Scannable does request such access, the app still appears in that category of privacy settings. It is also nice to see everything that potentially has access to my phone’s camera or location settings from one screen.
Android and Windows phones handle app permissions differently, however. Android will ask for permissions at the download. Windows leaves the permissions process in the hands of each app developer so the process on Windows phones may vary.
While Android’s system of up front permissions may seem very transparent and proactive, it may not always work as well as Apple asking as you go. On this newly downloaded banking app, the Android user sees a long list of permissions the app would like granted up front. Does the app need access to your location? To your phone? Media and files?? You just downloaded this app, you probably want to see your balance, do you want to think through all the questions raised by this screen? No. You want to get past this pop up and on with the task at hand. So you click “accept” and tell yourself you can figure all the rest out later. But will you? (No.) You can find more information about accessing and controlling Android permissions here.
The handling of privacy and permissions is very different between iPhone, Android, and Windows devices. Like other features of these phones, your preference may be different than mine. But these differences are rarely considered as thoroughly as other features when selecting a device.
Things to Keep in Mind
Only download apps from your phone’s official App Store.
Even in the App Store, pay close attention to the reviews and comments. Downloading that harmless looking game and allowing more access to your phone and your data than you realize can lead to malware, identity theft, and big trouble.
Do not automatically click “accept” – only give necessary permissions.
I know the user agreement is easy to ignore. That pop up requesting permission is just a nuisance. If this is what the app needs to work and if you want the app, it is tempting to just accept without paying close enough attention. Ninety nine times this will not cause problems, it’s that one time that you didn’t notice what you were accepting that will get you.
Review your device’s permissions and settings regularly.
Even if you pay attention and only download legitimate, necessary apps to your device, it is a good idea to review privacy and security settings on your phone from time to time and what those apps have access to. Permissions can change – especially on Android, if your phone is not set to notify you of changes that come with upgrades to the app, you could be automatically accepting permission requests you should not.
Four Ways to Share These Tips
Most of us do not fully consider security features and the way privacy settings are handled when we select a phone. Even when we know to keep an eye on settings and be selective about the apps we use, it is easy to accumulate junk on our devices pretty quickly. These tips are critical for users who may not be aware of the dangers but they also serve as great reminders for us all. Share them with your employees and colleagues easily below.
- Social Media: Share this article on social media.
- Email: Share this article with your colleagues.
- Print: Post this tip in your break room for employees to see.
- Newsletter: Download this full image to be included in your next internal employee newsletter. There is also a smaller image here that may fit better in your newsletter format.
We only ask that you use the images intact and unaltered. Thank you.
If you missed our free, sharable IT Security Tips in past months, you can always go back and use them from the Resources – IT Security Tips page. And Subscribe to our email list below to be sure not to miss future tips!
[divider top=”no”][column size=”1/2″ center=”yes”]
Subscribe Today to receive our monthly email newsletter
including new blog articles, news, and security awareness tips!