Security Experts:

When Good Apps Go Bad: Protecting Your Data Through App Permissions

When was the last time you thought about what permissions the apps on your phone have? Often, when downloading something new from the app store, many people somewhat blindly accept the various pop-ups that ask to allow the app access to their phone’s data; more excited about what they get from the app, not what it might be getting from them. But as people are becoming more aware of the data being collected about them from every angle, it’s becoming apparent that more attention needs to be paid to what people are enabling when they hit “download.”

Just this month, researchers from GuardianApp revealed a list of 24 notable iOS apps that have been used to “covertly collect precise location histories from tens of millions of mobile devices.” Much of this data collection has been passed along to third-party sources in order to provide more targeted advertising. While many of the apps do request location access before gathering this data, nowhere do they mention that the data will be shared with third parties for reasons that have nothing to do with the function of the app.

And it’s not just on mobile phones. Also this month, Apple removed several anti-malware apps from its Mac App Store after they discovered they were exporting users’ data back to a server in China. While most apps in the Mac App Store receive fairly limited access to data, given that these were anti-malware apps, they were given more access than most to users’ files, histories, preferences and settings.

Situations like these make it all the more clear that people need to pay close attention to the amount of data collection they are facing and what types of data they are comfortable sharing. While the main cause for concern used to be illegitimate apps such as malware posing as a more popular app finding their way onto users’ smartphones to steal their data unknowingly, more common now are seemingly legitimate apps acting in ways that users do not condone.

Mobile App PermissionsHow do you stay vigilant when the legitimate apps that you do use and rely on are also collecting data and surreptitiously sharing it?

Anytime you download an app, you’ll generally receive some form of pop-up that asks whether or not that app can access your phone’s data. While these permissions used to be fairly broad and generic, operating systems are increasingly moving towards more customizable app permissions. Rather than just asking “do you allow this app to access your data?” they are offering the ability to choose which parts of data you want them to access – so you might grant that new messaging app access to your contacts and photos, but not your location.

Not only can you customize which forms of data the app can collect – maybe your location but not your contacts for a parking app, or your photos but not your location for a photo editing app – but you can also customize to what level the data can be collected, and at what times.

For instance, location data can sometimes take varying forms – you can allow apps access “never,” “always,” or “only while using the app.” Let’s say you frequently use an app that lets you pay for your parking spot. While it may be useful to have location data turned on while using the app to allow you to indicate which parking lot you are in, the app almost certainly does not need to have access to your location data at all times – sharing where you are whether you are parked or not.

Given the sheer amount of data that most people have on their phones and computers, it’s become even more important to ensure that data is protected. Here are a few tips for keeping your data collection risks minimal:

Pay attention to which apps have your permission: Just because an app asks you to grant it access to your data, doesn’t mean you need to accept. Rather than blindly clicking “yes” when you see that familiar pop-up, think for a moment about whether or not that gaming app truly needs access to your location or photo gallery. Many apps can function just fine without needing to collect more than basic data information from you. If an app requires access to extensive data for seemingly no reason, that may be cause to hit “delete” and find something a bit less intrusive.

Pay attention to which permissions those apps have: As operating systems have made it more convenient to customize app permissions, users should take advantage of these capabilities to ensure they’re only sharing the data that they are comfortable with. Rather than accepting all permissions that the app requests, be mindful of what types of permissions you are granting and tailor your preferences accordingly.

Regularly purge your apps (or at least their permission levels): How many apps are on your phone that you haven’t opened in the past month? The past year? Doing a quick scan through your phone’s apps to see which are no longer relevant may save you from having your data collected by sources you don’t even care about anymore. And for the apps that you do use frequently and want to have on your phone, it may be worthwhile to periodically check their permission levels to ensure you’re still sharing only the data you want to share.

Taking a little extra time to keep your protections up to date may seem frustrating, but it can be worth it in the long run. Don’t use Instagram that often? Turn off its camera and gallery access until you actually want to post a photo. Have three different map applications but only use one? Delete the others or turn off their location access.

There is no sense in having multiple of the same types of apps collecting the same data to potentially be shared to many others. This is likely only the beginning in what will surely be an ongoing effort to protect your data from falling into the wrong hands. By paying just a bit more attention to the permissions you are allowing on your phone or computer, you could protect yourself from a much more significant headache down the road.

view counter
Laurence Pitt is Global Security Strategy Director at Juniper Networks. He joined Juniper in 2016 and is the security subject matter expert for the corporate marketing team. He has over twenty years of cyber security experience, having started out in systems design and moved through product management in areas from endpoint security to managed networks. In his role at Juniper, he articulates security clearly to business and across the business, creating and having conversations to provoke careful thought about process, policy and solutions. Security throughout the network is a key area where Juniper can help as business moves to the cloud and undertakes the challenge of digital transformation.