Smartphone Apps Know Too Much. We Need to Fix Permissions
Thanks to Facebook, app permissions have popped back into the public’s consciousness again. Last month it was discovered that Facebook had stored the phone logs of Android users who opted sharing their contacts in the days before Android 4.1 Jelly Bean. Then this week, during Mark Zuckerberg’s congressional testimony, two representatives asked whether Facebook might be listening to private conversations through our phone microphones and using the info to serve up eerily specific ads.
Zuckerberg responded definitively to the questions about the microphone conspiracy theory—“no”—then felt the need to add that Facebook does have access to audio when people record video on their devices for Facebook. “I think that is pretty clear. But I just wanted to make sure I was exhaustive there,” he said.
But Zuckerberg’s do-si-do with Congress, rather than being clear or exhaustive, showed that people are still genuinely confused about what data their smartphone apps can and can’t access. That’s partly because of app permissions: They’re oversimplified and designed to offer a minimal amount of information, right as they’re asking for access to your data. And while they’ve improved just as apps have, it’s not enough to match the sophistication of the data-gathering technology that now surrounds us.
It may seem obvious at this point, but mobile apps—not just Facebook—can vacuum up a crazy amount of data with every interaction. (Just look at what happens when you order a pizza, as illustrated by The Wall Street Journal). Both iOS and Android apps are capable of accessing your phone’s microphone, cameras, camera roll, location services, calendar, contacts, motion sensors, speech recognition, and social media accounts.
Some of this access is necessary: a photo app doesn’t work without access to a smartphone’s camera, just like a ride-hailing app like Uber doesn’t work without location information. Reject those permissions, and you’ll break functionality. But sensor data could also reveal a lot more than some people realize, especially when patterns start to emerge.
One Android app developer, who requested anonymity to avoid speaking on behalf of his company, noted that once you grant location access, app makers are able to pull in bearing and altitude information in addition to single location objects. This means apps can know “roughly which floor of a highrise you live on.” Ish Shabazz, an independent iOS developer, says that once you give an app permission to always have access to your location, “there’s an API to keep track of how frequently you visit a location.” (On iPhones, this list is visible in Location Services, then System Services, then Significant Locations.)
“There are legitimate and friendly ways that this data is used,” Shabazz says. “However, if you’re nefarious, I’m sure that info could be used in non-helpful ways.”
Amod Setlur, a former director of engineering at Yahoo who now runs a Silicon Valley analytics firm called Auryc, says one of his clients, a travel app, learned some interesting behavioral patterns about its customers based on how they were holding their phones.
“We found that during traffic spikes [in the app] at night, a lot of device rotations were happening,” Setlur says. “They were starting like this, and then they would turn the phone like this. We realized that people were trying to plan their next trip, turning the phone sideways to look at photos, while they were lying in bed.”
Those are just insights, the kind that make marketers froth, but there are the clear overreaches in app, too: Path’s unauthorized upload of peoples’ address books to its servers; Pokemon Go’s ability to “see and modify nearly all information in your Google account,” and Meitu’s request for access to GPS and SIM card information. Usually it’s around privacy violations like these—or around Facebook news—that app permissions get a fresh dose of attention.
App permissions are supposed to exist as the practical barrier between app makers and specific parts of your phone’s data. A permission request from an app pops up, and it’s on the smartphone user to decide whether to open that door. Sometimes they come with explanations; in fact, the app platforms encourage this. “It’s a good idea to explain to the user why your app wants the permissions before calling requestPermissions(),” the Android developer documentation says.
But these can be short or vague. Facebook’s explanation on iOS when it’s asking permission to access your camera is simply: “This will let you take photos and record video,” with no mention of some of the more advanced technologies that your shared photo data will feed. Some app makers just tack “and more” onto its permissions explanations. Facebook’s explanation for location says “Facebook uses this to make some features work, help people find places, and more,” while Snapchat’s explanation for using your microphone is “to record audio for Snaps, video chat, and more.”
Apple and Google run the app ecosystems and establish the app permissions guidelines. But they’re largely relying on the app makers to follow the guidelines. App makers don’t want to overwhelm people; they’re relying on the consumers to just get it. Or, maybe not to get it.
Both iOS and Android app permissions have evolved as the app stores have. Three years ago, with the rollout of Android 6.0, Google started requiring developers to request access as people were using features in an app, not when they first installed an app (when they were more likely to just hit “Accept” and forget about all the data they just gave away). That same Android update let users manage each permission individually rather than lumping them all together. Android 7.0 disallowed developers from building overlays over permission boxes, which would trick people into clicking on them.
Apple in general has been much more stringent than Google has been with app developers. As with Android, you can control iOS permissions both in privacy settings and at the app level. With the rollout of iOS 11 last year, Apple offered a “Write Only” option for app developers using Photos, so they wouldn’t have to request Read access to camera rolls. It also started cracking down down on location permissions: app makers are now forced to show the “Only when using the app” option when requesting location access. And as ArsTechnica pointed out, the company has never given iOS developers access to call logs, so the recent flare-up around Facebook on Android wouldn’t have been possible in iOS.
That said, there’s still room for improvement in the way app permissions are handled, says Norman Sadeh, a professor in the School of Computer Science at Carnegie Mellon University and the creator of Privacy Assistant, an Android app for managing privacy permissions. He says he continues to be critical of the way app permissions are being “bundled.”
“The number of [control] settings have increased, but they’re basically bundling a bunch of decisions together and forcing users to make impossible decisions,” Sadey says. “The apps might need it for functionality, but it might also share it with marketers and advertisers alike.”
It’s also not made super clear to people what happens when they revoke access to something they previously gave permission to. Let’s say you gave an app access to your photos just to upload one photo, and then immediately turned it off, or you granted contacts access years ago and then later revoked access. The TL;DR is that app makers are able to keep the data you shared beforehand, when you did grant permission, provided they comply with data protection and other privacy laws in their countries.
“One of the things that’s really lacking right now in permissions is not only consent, not only informed consent, but ongoing consent,” says Gennie Gebhart, a privacy researcher at the Electronic Frontier Foundation. “If Facebook is going to store your call and text logs, in perpetuity, that requires more than a single click-through.”
Google declined to comment on whether it’s currently looking at app permissions in light of the recent Facebook issues, or whether changes are expected to come in the near future. Apple also did not respond to similar questions.
But for now, until stricter rules are in place, most of the onus still falls on the smartphone user to try to make sense of privacy permissions. And to know whether to give access to our camera, our photos, our locations, our lives. And to trust that most of the app makers are being transparent around where that data goes. These days, that ask feels infinitely bigger.