Having a smartphone means you are accepting a certain level of risk. This level is determined by factors such as: how others access it, networks you decide to connect to with it, and apps you decide to download just to name a few.
One must decide the level of risk they are willing to accept and what type of data they are ok with sharing. A certain app may require or ask high-level permissions; this is a serious request not to be taken lightly. Determine if the application is worth the risk and if it is ask yourself why. Before downloading a sketchy app decide if you are ok with losing sensitive information from your device.
The simple answer is yes it is safe, but there are caveats. For an application like Amazon Photos it would be safe but for something like a calculator app then no. Realizing what type of app you are looking at and what permissions it is asking for can help you determine its legitimacy and safety.
With the rise of mobile technology, entertainment, and app developers there are sneaky ways to get privileged access to your mobile devices. A large number of threats will come from nonchalantly downloading applications without reading between the lines.
Why would a mobile application need to access my photos?
An app may request access to your photos if the app supports photo uploads. For example, when installing the Google Drive app, it will ask for photo access. This is because the app supports photo storage and will grab you photos for storing.
This is an example of a safe and legitimate photo access request. A fishy and possibly malicious request would be a calculator app requiring access to photos. First of all, why does a calculator app need my photos!?
The devil is in the details. We will get into how to find the permissions that the app will request BEFORE the download starts. This is one of the big details that many people overlook and unfortunately, it’s one of the ways malware is introduced to our mobile devices.
The next section will outline what permissions are, how they affect your device, and how to review them; and later we will go over some examples of safe and dangerous apps!
What are application permissions and what do they do?
Mobile applications are essentially users that you are adding to your domain (your mobile device). Each application asks for a set of permissions that you can assign to them, just like in an active directory environment with real human users.
These permissions are a set of access types that are needed by the app to function fully. It is not uncommon to see most if not all apps request the “Modify SD card storage” permission. This one makes sense because the app will be taking up space on your SD card.
If an app is downloaded, you can go into your app settings…
…and deny the permissions you don’t feel comfortable with. A good general practice is to always allow the minimum number of permissions required.
An issue with permissions exists when they are requested alongside others like “Read sensitive log data” or “Read contacts.” The type of app in conjunction with the permissions it wants will tell you about the legitimacy or possible risks of the app.
This next section will cover two apps that are very different regarding the permissions requested . Here you will see where the permissions for an app are located, what developer information is, and how to research the app further.
How can I determine if an app is safe to download?
There are several ways to determine if an app is safe to download. These include paying special attention to the developer content section, permissions section, privacy policy, and researching the app’s developer.
A simple Google search will tell you what you need to know about the developer. Just look at the developer company name and do a search like “Are [Name of developer] apps safe to use?” Or search for a database of unsafe developers.
This article covers two applications, Ebay and WeChat. These two are polar opposites in both function and safety. But we will look at app stores first! There are many app stores available to use but there are some to be wary of. This next section is very important to you as a mobile user.
Are all mobile app stores safe to use?
The short answer is no. But that’s because of the vast number of threats on these app stores combined with the lack of user awareness make them risky waters. The long answer is yes they are safe but only if the user is cognizant of what he/she is downloading in addition to only opting for verified app stores.
This comes down to paying close attention to developer information, permissions, and reviews. There are several reputable and safe app stores(generally) to use and there are some that aren’t legit. The next section will focus on some of the most common app stores.
Overview of common app stores
Apple App Store
This is Apple’s app store which is reputable, safe for the most part, and has a large library of apps. Of course, you must still be careful as to what you are downloading but the store has a good reputation and comes stock on IOS devices.
Google Play Store
This is the Google app store that comes with Android devices. This store has great reviews, selections, and verification for safety. Google Play Protect is an automatic scanner that will scan apps before downloading them; this checks them for malware.
Upon initiating the download, Google Play Protect will scan the app for security flaws before making its way to your device. Although this is a nice feature, malicious apps can still easily get on your device even with the scans.
Samsung Galaxy Store
This also a reputable app store that comes pre-installed on Samsung mobile devices. As usual, use standard app downloading precautions.
Aptoide
This app store offers many apps that are either illegal or that haven’t been verified by Play Protect or Apple’s security scanner OR have been kicked off of said app stores. The apps offered here are questionable in safety to say the least.
There are several bootleg apps available for download like Showbox, Sarahah messaging, Terrarium TV, and many other pirated content apps. One main reason why one would opt to download Aptoide is to access copyrighted content, which of course you shouldn’t be.
Here’s two more stores you should steer clear of. I will say it again, STAY AWAY!
- TenCent MyApp
- Xiaomi App Store
These are just two app stores that are developed by China. There have been numerous reports of malware being spread throughout mobile devices due to the apps in these stores. Unfortunately, China developes many apps that provide features and services that we use everyday!
From exercise trackers to PDF scanners, Chinese developers offer a large variety of apps; all dangerous and should avoided at all costs.In addition, apps like WeChat, QQ browser, CamScanner, and many others are found here in these app stores; they will require ridiculously invasive permissions to your device. It is best to research your apps before downloading for reasons such as this.
What are permissions and where can I see them?
Permissions are a set of privileges that an application will ask for in order to fully function on your device. With that being said, you don’t know if that particular application really needs a certain privilege. A good rule to note when determining what is appropriate or not is to grant only the bare minimum permissions possible.
eBay
This is the screen that you see after tapping the eBay icon in the app store. This is just a basic overview of the app. We know that eBay has a good reputation and almost everyone’s heard of it. And then we scroll down a little further to reveal the developer’s contact information (more on this later).
These screens offer several critical areas to look at when evaluating the app for safety. The developer contact, the permissions, and privacy policy…
Upon tapping the privacy policy you are presented with the privacy policy/permissions screen. Not all apps will have one like this. The first thing we notice is the permissions requested by the app and in above it, a link to the official privacy policy. You can also see that the permissions link in the app screen from before has a list of the permissions.
Permissions screenshot….
So this is a pretty average list for permissions. Here is a little breakdown of what the main permissions are:
Camera – There is no surprise here. eBay is a marketplace and to sell items you need to have some sort of picture or screenshot. This will go hand in hand with the storage permission; when you take a picture you can retrieve the picture from storage when inside your app OR you can snap a picture with the app’s camera feature.
Location – The location services are designed to help you find more sellers and items close by. You can put your zip code in and/or enable location services. I never enable it because I don’t need to and the app works fine without it, so you do have options.
Storage – The app will need access to your storage system in order to install the application. Remember, every program takes up space so this isn’t an alarming permission.
Other – The other category will include miscellaneous permissions that might be required to run the application properly. I couldn’t find anything alarming in this section.
As you can see there’s not really any threat here. The app asks for reasonable access for which you can deny if desired but nothing outright says “I want to spy on you or infect your device.” Now the next example will display a blatant disregard for user safety, privacy, and security.
Here is where we come to the scary app WeChat! This is an app that claims to offer high quality voice, chat, and other features. The app has also been known to violate customer’s privacy to include accessing data otherwise not authorized as well as transmit data to the Chinese government.
The first we will look at are the main screen you see upon selecting this app from the app store. Notice there’s no developer information…..um I’m sorry what? How are you supposed to report bugs or review privacy policy? Sounds fishy to me! Selecting the App Info arrow allows us to view more information and this is what we get….
Let’s take a look at the long list of permissions this app requests. A good rule is if the permission list goes past 1 ½ pages you should research it more and determine its safety. Right off the rip we can see that this app has some of the basic permissions that an all-inclusive chat app would have.
The permission that concerns me is the body sensors permission. Why does a chat app need this information? Accessing precise location can be used for marketing purposes, stalking, and government monitoring to name a few. These permissions are very intrusive. It gets scarier…
Look at these almost 2 full screens worth of permissions in the Other category, WOW! I focused on the ones that can be malicious and the ones that may look concerning but are necessary.
- Download files without notification
You don’t want an app to have the ability to download files without notification because it can be easier to insert a malicious download on your device. Malware embedded into files can download without your knowledge, making this permission even more dangerous.
- Have full network access
This may seem like an invasion of privacy but the fact is a large number of apps ask for this permission. In order to use most apps to the fullest capability, it must access your network in order to communicate with the remote server hosting that data; and in this way, you are able to access the app’s features.
- Retrieve running apps
This can be compared to a task manager of sorts, with the app requesting information on currently running applications on that device. This can be a problem if you have banking app running in the background and your credentials are weak. Now this app has to potential to pull your Banking app process and dissect it!
- Recognize physical activity
This feature will enable physical movement data to be sent to the app’s server. For example, when the user starts walking or running, the app will be notified and from there certain tasks can be executed or other services notified. A malicious developer can decide to collect personal data from the user if programmed correctly.
This can be intrusive if the app were to use this feature to start recording everything transmitting from that device upon an initiated movement. I guess you can think of this feature as an activation feature.
The only appropriate use of this service that I can think of would be a fitness application that measures physical activity, heart rate etc. If you do install an app like this, review the other permissions and make sure there are no suspicious combinations.
- Run foreground service
This may sound like an admin level service or sound suspicious but I circled it just to clear the air. This is a valid service; it allows for notification of an apps features. For example, when you are watching a movie and then open another app, you can still hear the movie and interact with it. The foreground service provides the features that allow those interactions.
You will notice the foreground service because it allows user interaction. However, malware can be written to the foreground service allowing it to start and run.
I researched the WeChat developer information for this article but again, I had to research it on my own; there was absolutely no developer info in this app’s page on the Play Store. Here’s what I found…
As you can see WeChat is closely tied to TenCent, the developer of the app. Repeatedly, China is accused (sometimes with supporting proof) that user’s private data is being harvested and backed up on servers at the very least. What they are doing with it? Who knows but it’s nothing good I’ll grant you that!
This last half of the article has reinforced the point that you absolutely shouldn’t just download just anything you see no matter how awesome it looks. There are so many dangers on the internet; allowing our most personal devices to be the gateway to those dangers could disrupt our lives to the core.
I cannot emphasize enough the vigilance you must practice when installing apps. Let’s review the security tips…..
- Check reviews for negative feedback
- Make sure there is developer contact information and if so, research the developer
- Look at the list of permissions for intrusive, admin level, or suspicious ones the app may require or ask for
- Make sure the permissions make sense for the app you are trying to download (a photo editing app will want photo access etc.)
- Avoid downloading applications from bootleg, Chinese, Russian, or other app stores that have been known to host spying or malware-infected apps; only opt for reputable app stores for maximum safety
In summary, this article provided a list of reasons why allowing apps to access your photos can be intrusive or dangerous. The dangers that can be spread from sketchy apps can compromise your data, privacy, or identity. If you practice safe app store guidelines then you will better protect yourself from malware, hackers, and keep your device safe.
