Dear Lifehacker,

I read your article about Chrome permissions last week, but I want to know about Android app permissions. It seems like every app developer wants access to so much on my phone! Do they really need all those permissions, or are they just harvesting my data?


Sincerely,

Paranoid Android

Dear Paranoid Android,

Android permissions are simultaneously an Android developer's best friend and worst enemy. Some of the best apps available from even reputable app developers and companies still need some pretty deep permissions in order to do basic things. On the other hand, the controversy around Android malware definitely makes that long list of permissions before installing a new app a scary experience. Let's see if we can set your mind at ease.


Read the Permissions List and Tie It Back to the App's Features

Every time you install an app in Android, you're presented with the list of permissions the app requires in order to work. If you're not reviewing that list before you click "Install," start now—you'll get a better understanding of what information an app really needs and what functions of your device the app has access to just by reading that list. It's tempting to just skip past it, but resist: you should at least look them over so you're aware.

The first thing to understand is what all of those permissions you're agreeing to let an app have when you install it actually mean. Some apps ask for tons just to work (Facebook, Google+, Gmail, etc) while others ask for relatively few. This thread at Android Forums does a great job of explaining how permissions work, and what each type does, complete with examples for what each permissions type means. It's a good read, but ultimately it's less important that you understand what each permissions type means as you understand why an app is requesting it when you install or update. Make sure you read the list of permissions, and try to correlate each one back to some feature or function of the app. If you can reasonably tie an app's permissions back to a feature (an SMS app that needs to read SMS messages, or a caller ID app that needs access to "read phone state and identity," for example) then there's little to worry about. Let's face it: most of the time, the reason an app asks for the permissions it does is because it needs them to work.


The only notable exception to this rule are apps that require root. When you root your Android phone, you grant yourself that level of access to the inner workings of your phone's OS. When an app pops up a superuser request and asks for root, you should think seriously about whether the app needs it. Apps like ROM Manager and Titanium Backup need root because they're performing system-level tasks on your phone. However, if a clock app or even a new app launcher requests root, make sure you understand why it needs it before you click "Allow." If you don't, don't do it.


Watch Out for Apps that Combine Permissions for No Reason


I spoke to Prateek Srivastava, a CS student and Android developer, about what all of those permissions mean and whether they're inherently dangerous. He explained that most permissions alone are pretty harmless:

"Even by itself, the internet permission can't do much - and is likely needed by most apps to display ads. What you should really watch out is for apps that are combining permissions willy-nilly. For instance if you had an ad-supported file browser app that requested permissions to your read your storage, and to the internet to display ads - there's no way to prevent the app from just posting your data on your phone's file systems (including your camera pictures) to the internet."


It's true, even apps that seem to have legitimate uses for multiple permissions may be dangerous. MakeUseOf explains some of the permission types you should look out for, especially when they're combined in a single app, as does Matthew Pettitt in this great article. It's easy to get frightened when you see how much information many apps ask for—even apps from trustworthy sources—but you have to ask yourself these questions when you see these long permissions lists:

Is this app from a trustworthy developer? Does it look like malware

Do I understand why this app needs these permissions?

Does the developer explain to me why they need these permissions? (Are they listed at Google Play, along with the reasons for each permission request? Often, they are.)


If the answer to all three of these questions is yes, you're in good shape. If you start answering no, you should begin to consider whether you really need the app in question. Even apps from trustworthy developers can collect a great deal of data, either for advertising and marketing purposes, or because someone screwed up. If you have an app from a developer you've never heard of and it doesn't explain why it needs the permissions it does, stay away unless you understand that the permissions are necessary for the type of app it is.

Encourage Developers to Explain their Permissions Needs at Google Play


Looking at an app that requires a ton of permissions can be scary, but make sure to check the app listing at Google Play before you jump to conclusions about it. As we mentioned above, if the developer explains why each permission is required for their app to function, you don't have anything to worry about unless you think the app is doing something else behind the scenes, and if it is, you'll probably see people talking about that in the app reviews.

Check the app's description at Google Play to see if the developer's listed out the permissions at the bottom of the list of features. More and more devs are doing this, partially because they know they have to in order to combat paranoia, but also to be transparent about what information their app needs from you. Even if they don't list it at Google Play, you'll often find more information at the developer's web site. To-do manager Any.DO, for example, asks for some pretty scary-looking permissions, but one glance at their Android FAQ should put your fears to rest.


If you don't see the permissions explained at Google Play or on the developer's web site, email them and ask. Many apps at Google Play have a "Visit developer's web site" link, or a "privacy policy" link that will give you more information. Even if they don't, they should definitely have an "email developer" link, which you can use to drop them a line and ask why their app requires the permissions it does. Encourage them to add that information to their app page at Google Play. Prateek explains:

"For developers, Google themselves recommend you request as few permissions as possible. Developers are also lazy - for instance most developers would just request your user account information to identify the user uniquely from their email address or phone number (this could be for many reasons - maybe server side validation that the app isn't pirated). A better way to do this is outlined here (without any personal information required)."


This is all the more reason developers need to be transparent about the permissions they request, he said, and why users need to be careful—not paranoid—and challenge devs when they don't know why an app needs the permissions it does.

Monitor and Tweak App Permissions On Your Own


If you really want to install an app that has questionable permissions, or an app with permissions you just don't understand (or don't think are necessary for the app to work), there are apps that can help. Some will stop intrusive apps from getting the data they want, others will just monitor the apps you install to see if they're doing anything fishy. For example:


Research Before You Panic

There's no reason to rage every time you find an app that requires a good number of permissions. In many cases, the problem may just be that you don't understand why the app needs the permissions it does—it could be some dependency in Android that the developer had to fulfill in order for the app to work. It could be a feature in the app that you don't fully understand. Before you fly off the handle and accuse the dev of stealing your data, check Google Play or ask them directly. If that sounds like too much effort, just don't install the app and find an alternative that's more transparent.

"In the end, as a user, you really have to trust the developer about what they're doing with the permissions. You can make a good educated guess, but that's about it. As a developer, you have to be transparent about what and why you need every permission. For instance if you need to collect analytics about your app and post the results to the server, you need the internet permission. But if your app is just a clock app - users are going to be confused why you have the internet permission."


Good luck,

Lifehacker

Prateek Srivastava is an Android developer, creator of apps like InstaMemo and Countdown Timer. He graciously offered his expertise for this story, and we thank him.