How Free Mobile Apps Earn Money through Permissions

By Yogesh Sapkale

Mobile applications, especially those available on Google Play Store, are increasingly becoming more dangerous, in terms of the information, they are gathering through access to users’ personal data. For example, a simple app like a flashlight (not many use it due to built-in torch feature of smartphones) seeks as many as 25 permissions, on an average, that are not even related to its actual use.

The majority of the free apps seek several permissions while installing and then monetise your data by showing advertisements or sharing the user's personal data with third parties.

Applications can request permissions to access data or features on devices they need, to function properly. For example, the flashlight application needs access to the phone's flash to use it as a flashlight. However, many such applications request access to more permissions than they actually need.

In an analysis, digital security services-provider Avast found that out of the 937 flashlight apps, 408 request 10 permissions or less; 267 request between 11 and 49 permissions, and 262 apps request between 50 and 77 permissions.

"Some of the permissions requested by the flashlight applications we looked into are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do," says Luis Corrons, security evangelist at Avast.

Any mobile app seeking more permissions than it needs is not only dangerous, but has potential to harm the user either financially or through misusing personal data, thus violating user privacy. However, what makes it worse is the user, who is not aware about these things, grants these permissions without knowing or understanding the implications.

For example, not many users will think twice while granting blanket permissions to a flashlight app. One of the common reasons I have come across from such users is "I have nothing to hide so why should not I grant these permissions?" Such 'lazy' reasoning shows the lack of understanding of the interconnected and greedy digital world.

For example, the same flashlight app may be accessing and sharing all your contacts, call logs or even record calls only to share with a third-party, without your knowledge.

Apps can request outlandish permissions, but that does not mean that they carry out malicious activities, per se. But then why would an app like the flashlight need access to contacts or even permission to record audio?

Mr Corrons from Avast explains this. He says, "The flashlight apps we looked into are just an example of how even the simplest apps can access personal data, and it is often not just the app developers that gain access to data when users download an app, but the ad partners they work with to monetise. Developer privacy policies are unfortunately not inclusive, as in many cases, further privacy policies from third-parties are linked within them."

Permission asked by mobile apps and granted by users is a grey area. Some apps that the user wants will not be installed if even a single permission is denied or some app may not work properly without those permissions. Interestingly, not all permissions are needed by the app developer. Sometimes, the app developers integrate ad software development kits (SDKs) into their code to earn money from advertisers. To allow these SDKs to target users with ads, the apps request countless permissions.

In its analysis, Avast found as many as 282 apps seeking permission like KILL_BACKGROUND_PROCESSES, which are very powerful and can be abused for malicious purposes. For example, it could be used to kill a security app.

What is more shocking is that the analysis from Avast found as many as 208 flashlight app requesting the same permissions. "Most of APKs are different versions of the same app, and right now there are 10 apps on the Google Play Store with more than 2 million downloads. There are five different developer groups behind these apps, according to the developer ID shown on the Google Play Store; however, according to my research, I can confirm that at least some of them are the same, just using a different developer ID. This appears to be a developer or group of developers with a monetisation system, harvesting users’ data and sharing the data with partners," Mr Corrons says.

So What You Should Do?

1. Before installing any mobile app, make it a habit to read about the app, and its reviews. Notice if reviewers comment on whether or not the app does what it says it will do.

2. Check permissions that the app needs. Granting incorrect permissions can send sensitive data to cybercriminals, including information such as contacts stored on the device, media files and insights into personal chats.

3. Do read the privacy policies and terms and conditions of the app, as mentioned by the developer.

4. Find out more details of the developer. As I had discussed in my earlier article, Blatant misuse of national emblem, govt logos by mobile apps makers, several apps under the name of Aadhaar were owned by private developers who were misusing the national emblem and official logos of various government departments.

5. Install a trustworthy anti-virus app, which acts as a safety net, and can identify apps that are infected with adware or malware.