Google Play recently made a change to the way it handles permissions when you download a new app. Permissions, in app speak, show you what parts of your Android phone the app will have access to. Whether it’s data - like your phone numbers; or hardware - like being able to play sound through your speakers, or access your GPS location, these permissions are generally necessary to help the app run.
A good app developer should tell you what they need each permission for so that you’re confident they’re not skulking about behind your screen sucking up personal information.
The new change from Google has some benefits, but also brings some new challenges for the security-conscious user.
In the past, app permissions could be difficult to decipher. You had to do some research to work out just what was being asked for. Google’s made it a lot easier to see what things do, and what effects a permission might have, by grouping permissions into categories.
Unfortunately, in eliminating complexity they’ve removed some granular control from the user.
Say you download a new camera app. You’d expect it to take photos, so you’re happy to say ‘yes’ when it asks for access to the “Camera/Microphone” bucket of permissions. If they’re a good developer, they should tell you why they need access to that group of permissions, and what specific permissions within that bucket they need to use.
But if the maker of that app decided to be mischievous and listen in to what you were saying while out being snap-happy, they could tweak the app by updating it to take advantage of the microphone. It’s in the same permissions category as the camera, so Google Play won’t ask you to grant it any extra permissions when the app maker sends you their update – you’ve already told Google you’re happy for the app to use camera and microphone permissions.
This is why it’s really important to pay attention to what you’re downloading. You can also check what existing individual permissions your apps have by going into your settings. If you’re not comfortable with this new approach, we’d advise turning off automatic updates.
App developers have an obligation under the Privacy Act to only collect what personal information they need, and to look after what they have. If you think an app is pushing it the boundaries, stop using it and do a quick internet search. If they’re dodgy, chances are someone else has had the same issues as you.
Think about getting in touch with our office if you think your information has been inappropriately accessed. Even if the app is from an overseas company, if there’s a privacy or information commissioner in their area we can usually raise it with them.
Google also has a reporting tool built into Google Play, so be sure to flag apps as inappropriate if they are abusing access to permissions.
Next week we’ll be launching a short guide for developers, setting out what we think are the best ways to communicate with users and build privacy-aware apps.
[Image by Chris Slane - www.slane.co.nz]