What you need to know about Android permissions and rogue apps

permissions lead image

Recently, a bogus game called Subway Train Game, with multiple unnecessary permissions, rocketed to the top of the Play Store charts. This incident highlights the importance of protecting yourself by checking permissions before downloading apps. Here’s a look at key permissions you need to be aware of and what they’re capable of.

Subway Train Game

Early in June, an app called Subway Train Game popped up as a top game in the Play Store rankings. It seemed to be an organically-growing slammer of a hit game. However, as Reddit users began to dig deeper, a problem became apparent.

They discovered that the app was a scam, partly because the permissions requested on install were way beyond what would normally be needed for a simple game. This included access to the device microphone, camera, and GPS location—none of them needed in a simple chase game.

What this means for you and me is that we need to watch out. A general lack of code review by Play—which many consider a good thing because it allows apps to be uploaded quickly—exacerbates the need for self-preservation.

Permissions are a dead giveaway

Subway Train Game has now left the station, but the potential is there for big-trouble ahead if we users don’t read and act on app-relevant permissions.

To complicate matters, the full list of permission options isn't displayed when you choose to install an app on your phone. You have to look for the detailed list in the app description in the mobile version of the Play store, or visit the Play store on the web.

Finding detailed permissions

Search for the app in Play’s desktop version, then scroll down the page to the Additional Information section. You can use an Android device’s browser to do this if you don’t have a laptop. In the Play Store app on your Android phone, you can scroll way down to the bottom of an app, to the “Additional Information” section, and tap on the little “View Details” link to get detailed permissions information.

permissions play privacy permissions ss

The mobile version of Play is vague. Use a desktop browser for detail.

If you want to claw back some safety, you’ll have to know which permissions are worth worrying about. Context matters; a mapping app obviously has need of your location, while a simple game probably doesn’t. However, if that game has a “find opponents near me” function, it does make sense for it know know where you are. You’ll have to use some common sense, but consider these the scariest permissions to keep an eye out for.

Phone

The Directly call phone numbers permission can be used to dial revenue-generating numbers belonging to baddies. While this is a legitimate permission in phone-based calling apps, like Viber or Skype, most other apps don’t need to make phone calls.

permissions facebook ss

Facebook’s app wants to be allowed to make calls.

SMS

Authorizing the Send SMS messages permission can eat into your text messaging allowance. There’s no need for this permission unless it’s for a communications-based tool like WhatsApp Messenger and calling apps. Some Internet-only messaging services, like Skype, for example, don’t even ask for it.

permissions facebook mobile play ss

The permissions listed on the mobile app popup are sort of vague, compared to those on the web.

Contacts/Calendar

Read your contacts and Add or modify calendar events and send email to guests without owners’ knowledge are two permissions that you should be extremely wary of. Whereas the previous two permissions can bilk you out of your savings, these can find out who your friends are and spam them.

Social networking apps like Facebook use this permission legitimately and back-it up with a privacy statement. Check for privacy statement links on app developer Play pages.

Photos/Media/Files

The Modifying or deleting the contents of your USB storage permission allows data tomfoolery, like uploading private camera images to a server.

It’s a legitimate permission for data sharing. A cloud storage app like Dropbox uses it, for example. But an app that doesn't need your photos could look at all the pictures you've taken on your device and do who knows what with them. Are you comfortable with the developer seeing all your photos?

permissions facebook other ss

Many safe permissions are in the Other section.

Safe permissions

Many permissions are innocuous. Almost all apps connect to the Internet, for example. The mobile version of Play doesn’t even bother listing that permission. Other relatively safe permissions include prevent device from sleeping and change your audio settings, for example.

In-app purchases

And finally, the In-app purchases permission is used to authorize an app’s up-sell functionality. Many apps are free to install, and then hit you up for add-ons or extra services.

While this isn’t inherently a bad thing, it can be an expensive problem if your device falls into the wrong hands, like a precocious seven-year-old, who’s surreptitiously gotten a taste for Stealing Trains IV Las Vegas, knows your Google account password, and sees a new purchase-authorized app to play with.

To comment on this article and other Greenbot content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.