Almost two percent of the most popular Android apps on Google Play request excessive permissions on users’ devices, according to a Comparitech analysis of 2,500 top and trending apps. Those permissions allow apps to run dangerous scripts and gain unnecessary access to SMS messages, among other undesirable actions.
The average Android user has about 80 apps installed, so there’s a high probability that at least one app on a given user’s phone requests an excessive permission. Excessive and exaggerated permissions could put user data and privacy at risk, or even allow cyberattacks on the device. Researchers found apps could avoid excessive permissions completely or use some other means to get the data requested.
Comparitech researchers focused on the following permissions in each Android app analyzed:
The researchers used a tool called Quark Engine to analyze the Android apps’ APK installation files and examine permissions in manifest.xml, a file used by almost every Android app that declares permissions. The tools examine these permissions along with static code to test for 145 unique permissions. Not all of these permissions directly correlate with a permission listed in the official Android documentation, and instead could be based on class and method names in the app’s code.
These permissions do have legitimate uses. An app might want to read your text messages so that it can receive one-time passwords and two-factor authentication PINs without forcing the user to copy and paste, for example. But researchers found such permissions are often either used nefariously or not used at all.
Excessive permissions by app category
Breaking down the results by app category, Business, News, and Sports apps were the top three for exaggerated permissions.
Many apps request a permission to check the list of running applications. Again, this can be legitimate; an antivirus app that needs to monitor processes in real time, for example. But many apps simply want to check if the user opens any of their competitors’ apps. Although this permission is usually unnecessary, researchers don’t consider it a severe threat to users.
SMS retrieval
59 out of 111 applications that requested SMS contents do not use it for any legitimate activity for which they would need such a permission, such as receiving 2FA codes, researchers say. These excessive permissions could allow an app to read private text conversations, which puts both the user’s and their contacts’ privacy at risk. These permissions could even be used to send SMS messages from the user’s device to people in their contacts list.
The permissions related to SMS access include:
- Checking if the sender address of SMS contains the given string. This is often used for fetching 2FA/OTP codes.
- Getting the sender address of the SMS. In addition to a phone number, an address includes other information stored in the contact list, including name, email, etc.
- Getting the sender address of the SMS and putting it into JSON. This allows apps to store the user’s SMS contacts in a database.
- Querying the SMS content and the sender phone number. This can be used to read your texts and which phone numbers they came from. It could be used for fetching 2FA/OTP codes, but for a number of other purposes as well.
Shell scripts
The permission that allows apps to run shell scripts programmatically is of particular concern. Unlike other permissions, an Android phone, by default, will not prompt a user when the application is about to execute a shell script. Normally this requires root access, but Android allows execution of some commands without it.
Shell scripts do not communicate with the phone or tablet using the official Android API. Instead, they make calls directly to the underlying Linux kernel. That gives the app deeper access to the device, including low-level access to hardware. Improperly built commands could force the application or entire operating system to crash. A malicious app could perform a broad range of attacks using shell scripts.
Shell scripts can perform a wide array of actions. A few might include changing the active keyboard, toggling Android settings, retrieving network info and status, managing notifications, altering color schemes and layouts, and much more.
Google’s advice for Android permissions
Google splits Android permissions into two types: install-time and runtime. Install-time permissions are accepted or denied by the user upon first launching a newly-installed app. Runtime permissions must be granted by the user while using the app, and they are typically the more dangerous ones, as stated by Google:
“If you declare any dangerous permissions, and if your app is installed on a device that runs Android 6.0 (API level 23) or higher, you must request the dangerous permissions at runtime.”
Google advises developers to only request necessary permissions, and gives alternatives for certain situations. For example, one app might be able to perform an action on another app’s behalf, which can be delegated with an intent.
How to spot and avoid excessive permissions in Android apps
As for end users, keep permissions to a minimum. Google advises developers to design their apps so they can still be used even if you deny an install-time or runtime permission. So if the app is made well, it should still work. Don’t be afraid to say no to permission requests. You can always change your mind later.
Permissions can be adjusted for each app individually in your Android settings:
- Go to Settings (cog icon) > Apps & notifications
- Tap Advanced to expand the dropdown menu, then Permission Manager
- A list of permissions is displayed along with the number of apps using that permission. Click the permission you wish to adjust.
- A list of apps with the selected permission are displayed. Tap the one you wish to change.
- Select Deny to completely disallow the permission, or Ask every time to be prompted every time the permission is requested, granted on a one-off basis.
You could also opt for a third-party permission manager app like this one.
Unfortunately, there’s not much a user can do to prevent apps from running shell scripts unless the developer specifically adds a prompt to request the permission at runtime. Many developers will not. We recommend using a non-rooted Android phone and sticking to reputable apps from Google Play to avoid malicious scripts.