Android Apps Overreach: Excessive Permissions Put Users at Risk
A Cybernews investigation has uncovered risks for Android users related to excessive permissions in popular applications. Experts have found that many apps request significantly more access than is necessary for their functionality, increasing the likelihood of personal data leakage.
An analysis of 50 popular apps on Google Play revealed that, on average, a single app requests 11 dangerous permissions. These permissions include location tracking, use of the camera, microphone, and access to user files. The Indian service MyJio leads in the number of permissions, requesting 29, including access to location, camera, microphone, calendar, and files.
WhatsApp requests 26 permissions, placing it second on the list. Truecaller, used for identifying numbers and blocking spam calls, requires 24 dangerous permissions. Facebook* and Instagram* also demand a significant number of permissions—22 and 19, respectively.
Researchers emphasize that even seemingly minor permissions, such as sending notifications, can be exploited by malicious actors. In 2023, U.S. Senator Ron Wyden warned that notifications could be used for surveillance, as data is transmitted through intermediary services like Google’s Firebase Cloud Messaging, posing additional privacy risks.
One of the most frequently requested permissions is access to read and write data on external storage. This allows apps to access personal files, such as photos or documents stored on the device. While experts note that this access is often required for downloading media or saving app data, improper use of such permissions could lead to data breaches.
Other commonly requested permissions include access to the camera and audio recording. Thirty-three of the 50 analyzed apps request such permissions. These functions may be used for sharing photos and voice messages but also carry the risk of misuse by advertisers or cybercriminals.
The permission analysis showed that most apps in the communication and social media categories demand the highest number of permissions. Communication apps require an average of 19 permissions, while social media apps request 17. Some apps, like WhatsApp and Messenger, even request access to call management, phone status, and precise location—features not always apparent to users and not necessarily linked to the app’s core functions.
Researchers advise users to pay close attention to the permissions they grant to apps. Even in the case of games that request only a few permissions, caution is warranted. For instance, while games like Among Us don’t request any dangerous permissions, others like Mobile Legends or PubG Mobile request over 10, including access to the camera, audio, and location.
At the same time, Cybernews experts highlight that even minimal permissions don’t guarantee security. An app may operate in the background, accessing the network and other data without notifying the user. Experts recommend regularly reviewing device settings and uninstalling unnecessary apps to minimize the risk of personal data exposure.
Cybernews experts previously conducted research showing that iPhones continue to actively exchange data with external servers even when idle for extended periods. In an experiment using a factory-reset iPhone SE with the 100 most popular apps from the German App Store, every outgoing connection to external servers was tracked via NextDNS. Since the researchers have already performed a similar experiment with Android smartphones, the comparison of these findings will be particularly intriguing.