Pierluigi Paganini September 15, 2023

Leading Android health apps expose users to avoidable threats like surveillance and identity theft, due to their risky permissions. Cybernews has the story.

The Android challenge

In the digital age, mobile applications have become an integral part of our lives, transforming the way we communicate, work, and entertain ourselves. With the vast array of apps available at our fingertips, it’s easy to overlook the potential risks they may pose. Behind the sleek interfaces and promising functionalities lurks a hidden concern that has captured the attention of security researchers and users alike – dangerous Android app permissions.

Android, being the most widely used mobile operating system globally, offers developers great flexibility to create innovative and powerful applications. However, this flexibility also introduces a crucial challenge – maintaining a balance between user convenience and safeguarding sensitive data and privacy.

Our researchers took a look at 50 popular health apps – for fitness, sleep tracking, meditation, mental health, quitting smoking, blood-sugar measurement, and medication reminders, among other purposes – to test their permissions.

Android permissions

The Android operating system has a comprehensive permission system designed to protect a user’s privacy and security. While many permissions are essential for apps to function properly, some could be considered more dangerous as they grant apps access to sensitive data and functionalities that, if misused, could compromise user privacy and security.

Here are some of the most dangerous Android app permissions:

• Location Access: This permission allows apps to track the user’s precise location using GPS and network information. While some apps genuinely need this permission for features like maps and location-based services, malicious apps could misuse this data for stalking, surveillance, or targeted advertising
• Camera and Microphone Access: Granting an app access to your device’s camera and microphone poses significant privacy risks. Malicious apps with such permissions could spy on users, capture sensitive information, or record audio and video without consent.
• SMS and Call Log Access: Apps requesting access to read your SMS messages and call logs can potentially extract sensitive information, such as authentication codes and contact details. This permission is often misused in phishing and spamming attacks.
• Read and Write External Storage: Allowing apps to access your device’s external storage could expose personal files, photos, and sensitive data to potential security threats. Malware can use this permission to plant harmful files or steal sensitive information.
• Device Administrator Access: This permission grants apps elevated privileges, enabling them to control various aspects of your device. While some legitimate apps (e.g., antivirus) require this access, malicious apps could abuse it to take full control of your device.
• Access to Contacts: Apps with access to your contacts may misuse this information for spamming, social engineering, or selling your contact details to third parties without your consent.
• Read Phone State and Identity: This permission allows apps to access device information, including the phone number and unique device ID. Malicious apps could use this data for tracking or unauthorized account access.
• Background Data Usage: While not a specific permission, apps that use excessive background data can pose security risks and drain your device’s battery. They might be transmitting data without your knowledge, leading to potential privacy breaches.

Let’s take a look at what dangerous permissions our tested apps have.

Camera access

This is a dangerous permission in the Android operating system that allows the app to access the device’s camera. When an app requests this permission and the user consents, it gains the ability to take photos and record videos using the device’s camera hardware.

• Purpose: The primary purpose of this permission is to allow the app to utilize the camera functionality for various purposes, such as taking photos, recording videos, or using the camera for augmented reality features.
• Implications: The `CAMERA` permission is considered dangerous because the camera can potentially capture sensitive and private information. If misused, it could lead to unauthorized image or video capture, invading the user’s privacy. For instance, a malicious app with camera access could secretly take pictures or record videos without the user’s knowledge or consent.
• User Consent: When an app requests access to the camera, Android prompts the user to grant or deny the permission. It’s crucial for developers to provide a clear and legitimate reason for requesting this permission, so users can make informed decisions about whether to grant access or not.
• Best Practices for Developers: App developers should request the `CAMERA` permission only when it is necessary for the app’s core functionality. They should clearly communicate to users why the permission is needed and how it will be used. For example, camera access is reasonable for a camera app or a social media app that allows users to capture and share photos. However, if the app doesn’t have a relevant and legitimate reason to access the camera, developers should refrain from requesting this permission.
• Security Measures: To protect users’ privacy and data, developers must ensure that any photos or videos captured by the app are stored securely and are not accessible to unauthorized entities. Additionally, camera access should be limited to the specific functionality that requires it, and apps should not abuse the permission to perform actions unrelated to camera usage.

Cybernews found that 44% of tested apps have this permission.

Read external storage

This permission allows the app to read data from the device’s external storage, such as the SD card or other external storage locations.

• Purpose: The primary purpose of this permission is to allow the app to access files, documents, images, or other data stored on the device’s external storage. With this permission, the app can read data from directories like the Downloads folder, DCIM (camera photos), or other user-accessible storage locations.
• Implications: The `READ_EXTERNAL_STORAGE` permission is considered dangerous because it grants the app access to a user’s personal files and data stored on the external storage. If misused, it could lead to privacy breaches or unauthorized access to sensitive information stored by other apps or the user.
• User Consent: When an app requests access to read external storage, Android prompts the user to grant or deny the permission. Users should be cautious about granting this permission to apps that don’t have a legitimate need for accessing external storage data.
• Best Practices for Developers: App developers should request the `READ_EXTERNAL_STORAGE` permission only when it is essential for the app’s functionality. For example, a file manager app would require this permission to allow users to browse and open files stored on the external storage. Developers should clearly explain to users why this permission is needed and how the app will use the accessed data.
• Security Measures: If an app has access to read external storage, developers should ensure that the app only accesses the specific files and directories necessary for its legitimate purposes. It’s essential to avoid accessing or modifying sensitive user data without proper consent.
• Scoped Storage: Starting from Android 10 (API level 29), Android introduced “Scoped Storage,” which changes how apps access external storage. Scoped Storage provides each app with its isolated storage space, limiting direct access to other apps’ data. Apps targeting Android 10 and higher follow the scoped storage model, which enhances user privacy and data security.

Cybernews found 58% of tested apps have this permission.

Record audio

This is a dangerous permission in the Android operating system that allows the app to access the device’s microphone and record audio.

• Purpose: The primary purpose of this permission is to enable the app to record audio using the device’s microphone. Apps that require voice calling, voice recording, voice chat, or any other functionality involving audio input typically request this permission.
• Implications: The `RECORD_AUDIO` permission is considered dangerous because it grants the app the ability to capture audio from the device’s microphone. If misused, it can lead to serious privacy violations, such as recording conversations or ambient sounds without the user’s knowledge or consent.
• User Consent: When an app requests access to record audio, Android prompts the user to grant or deny the permission. Users should be cautious about granting this permission to apps that don’t have a legitimate need for accessing the microphone.
• Best Practices for Developers: App developers should request this permission only when it is essential for the app’s core functionality. For instance, a voice messaging app would require this permission to record and send audio messages. Developers should clearly explain to users why this permission is needed and how the app will use the recorded audio.
• Security Measures: If an app has access to record audio, developers must ensure that audio recordings are used solely for the intended purpose and are not misused or accessed by unauthorized entities. It’s vital to protect user audio data and prevent any potential leakage.
• Sensitive Content: Apps with this permission should never use audio recordings to capture sensitive information, such as credit card numbers, passwords, or any personally identifiable information (PII). Handling audio data should comply with relevant privacy regulations and best practices.

Cybernews found 12% of tested apps have this permission.

Write external storage

The permission is another risky one in the Android operating system that allows the app to write or modify data on the device’s external storage, such as the SD card or other external storage locations.

• Purpose: The primary purpose of this permission is to allow the app to write data to the device’s external storage. Apps that need to download files, save user-generated content (e.g., images and documents), or cache data locally often request this permission.
• Implications: The `WRITE_EXTERNAL_STORAGE` permission is considered dangerous because it grants the app the ability to modify or delete files stored on the device’s external storage. If misused, this could lead to data loss, unauthorized modification of user files, or potential manipulation of sensitive data.
• User Consent: When an app requests access to write external storage, Android prompts the user to grant or deny the permission. Users should exercise caution when granting this permission to apps that don’t have a legitimate need for accessing external storage.
• Best Practices for Developers: App developers should request the `WRITE_EXTERNAL_STORAGE` permission only when it is necessary for the app’s core functionality. For example, a photo editing app would require this permission to save edited images to the device’s external storage. Developers should clearly explain to users why this permission is needed and how the app will use the storage access.
• Security Measures: If an app has access to write external storage, developers must ensure that it only modifies files that are necessary for its legitimate purposes. Additionally, they should implement appropriate safeguards to prevent unauthorized access to or modification of user data.
• Scoped Storage: Starting from Android 10 (API level 29), Android introduced this feature, which changes how apps access external storage. With scoped storage, apps have access only to their isolated storage space, which helps enhance user privacy and data security.

Cybernews found 52% of tested apps have this permission.

Get accounts

The permission is also a dangerous one in the Android operating system that allows the app to access the list of accounts associated with the device. These can include Google, email, and other accounts set up on the device.

• Purpose: The primary purpose of this permission is to allow the app to access and retrieve information about the accounts configured on the device. This information can be used for various purposes, such as facilitating account sign-in or integrating with account-related services.
• Implications: The `GET_ACCOUNTS` permission is considered dangerous because it provides access to a user’s account information, which can include sensitive data like email addresses or usernames associated with different accounts. If misused, this permission could lead to unauthorized access to personal account information or potential phishing attacks.
• User Consent: When an app requests access to get accounts, Android prompts the user to grant or deny the permission. Users should be cautious when granting this permission to apps that don’t have a legitimate need for accessing account information.
• Best Practices for Developers: App developers should request the `GET_ACCOUNTS` permission only when it is necessary for the app’s core functionality. For example, an email app might need this permission to display a list of user-configured email accounts for easier account selection. Developers should clearly explain to users why this permission is needed and how the app will use the account information.
• Scoped Access: Starting from Android 6.0 (API level 23), Android introduced runtime permissions, which means users have more control over granting permissions. Apps targeting API level 23 or higher need to request this permission at runtime, and users can grant or deny the permission on a per-app basis.
• Alternative Approach: In newer Android versions, the `GET_ACCOUNTS` permission has been deprecated in favor of the Google Sign-In API or the AccountManager API. These APIs provide a more secure and privacy-friendly way to access account information.

Cybernews found 18% of tested apps have this permission.

Read contacts

The permission is a dangerous one in the Android operating system that allows the app to access the user’s contacts or address book.

• Purpose: The primary function of this permission is to enable the app to read the user’s contacts or address book data, which typically includes names, phone numbers, email addresses, and other relevant information stored on the device.
• Implications: The `READ_CONTACTS` permission is considered dangerous because it grants the app access to the user’s personal information. If misused, it could lead to privacy violations, data harvesting, or unauthorized sharing of contact details with third parties.
• User Consent: When an app requests access to read contacts, Android prompts the user to grant or deny the permission. Users should be cautious when granting this permission to apps that don’t have a legitimate need for accessing contact information.
• Best Practices for Developers: App developers should request the `READ_CONTACTS` permission only when it is necessary for the app’s core functionality. For example, a messaging app might need this permission to access the user’s contact list for easier selection of recipients of messages. Developers should clearly explain to users why this permission is needed and how the app will use the contact information.
• Security Measures: If an app has access to read contacts, developers must ensure that the contact data is used solely for the app’s intended purpose and is not misused or accessed by unauthorized entities. It’s essential to protect users’ contact information and prevent any potential data leakage.
• Scoped Access: Starting from Android 6.0 (API level 23), Android introduced runtime permissions, which means users have more control over granting permissions. Apps targeting API level 23 or higher need to request this permission at runtime, and users can grant or deny the permission on a per-app basis.

Cybernews found that 18% of tested apps have this permission.

Read phone state

Another dangerous permission in the Android operating system, this allows the app to read information about the phone’s state and identity.

• Purpose: The primary purpose of this permission is to enable the app to access information related to the phone’s state and identity. This includes details such as the device’s phone number, IMEI (International Mobile Equipment Identity) number, SIM card information, network information, call state, and whether the device is currently in a call.
• Implications: The `READ_PHONE_STATE` permission is considered dangerous because it provides access to sensitive information about the device and its connectivity. If misused, it could lead to privacy violations, such as the unauthorized collection of personal data or tracking of the user’s phone activity.
• User Consent: When an app requests access to read phone state, Android prompts the user to grant or deny the permission. Users should exercise caution when granting this permission to apps that don’t have a legitimate need for accessing phone state information.
• Best Practices for Developers: App developers should request the `READ_PHONE_STATE` permission only when it is essential for the app’s core functionality. For example, a communication or caller ID app might require this permission to provide accurate caller information. Developers should clearly explain to users why this permission is needed and how the app will use the phone state information.
• Security Measures: If an app has access to read phone state, developers must handle this sensitive data with care. They should use the information solely for the intended purpose and implement measures to protect the data from unauthorized access or misuse.
• Scoped Access: From Android 6.0 (API level 23), runtime permissions were introduced, which means users have more control over granting permissions. Apps targeting API level 23 or higher need to request this permission at runtime, and users can grant or deny the permission on a per-app basis.

Cybernews found 18% of tested apps have this permission.

Access background location

This dangerous permission was introduced for Android 10 (API level 29) and above. It allows the app to access the device’s location even when the app is running in the background.

• Purpose: Primarily to enable apps to access the device’s location data even when they are running in the background. Before Android 10, apps could access location data only while they were in the foreground, but with this permission, certain apps can now access location data in the background too.
• Implications: The `ACCESS_BACKGROUND_LOCATION` permission is considered dangerous because it grants the app continuous access to the user’s location, even when the app is not actively being used. This can have significant privacy implications, as continuous background location access may reveal a user’s movements and behavior without their immediate awareness.
• User Consent: Starting from Android 10, apps requesting access to background location must explicitly ask for this permission at runtime. Users have the option to grant or deny this on a per-app basis, providing them with more control over their privacy.
• Best Practices for Developers: Developers should request the `ACCESS_BACKGROUND_LOCATION` permission only when it is necessary for the app’s core functionality and use cases. Apps that require continuous background location access, such as location-based tracking or navigation apps, should provide clear explanations to users about why this permission is needed and how it will enhance the app’s functionality.
• User Notification: When an app requests access to background location, Android notifies the user through a system dialog that explains the purpose of the permission and gives the user the option to allow or deny it.
• Privacy Considerations: Due to the privacy sensitivity of continuous background location access, apps that use this permission should handle the location data responsibly and ensure that it is not misused or shared with third parties without explicit user consent.

Cybernews found that 4% of tested apps have this permission.

Access coarse location

This dangerous permission in the Android operating system allows the app to access the device’s approximate (coarse) location using sources such as cellular towers and Wi-Fi networks.

• Purpose: Primarily to enable the app to determine the device’s general location using less precise methods like Wi-Fi networks and cellular towers. This information is not as accurate as the fine-grained GPS location, but can still provide useful location data for apps and services.
• Implications: The `ACCESS_COARSE_LOCATION` permission is considered dangerous because it grants the app access to the user’s approximate location. While this data is not as precise as GPS-based location, it can still reveal the user’s general whereabouts and movement patterns.
• User Consent: When an app requests access to coarse location, Android prompts the user to grant or deny the permission. Users should exercise caution when granting this permission to apps that don’t have a legitimate need for accessing their location data.
• Best Practices for Developers: App developers should request the `ACCESS_COARSE_LOCATION` permission only when it is necessary for the app’s core functionality. For example, apps that provide location-based services, weather forecasts, or localized content might need this permission to tailor their services to the user’s approximate location. Developers should clearly explain to users why this permission is needed and how the app will use the location data.
• Scoped Access: From Android 6.0 (API level 23), runtime permissions were introduced, giving users more control over granting permissions. Apps targeting API level 23 or higher need to request this permission at runtime, and users can grant or deny it on a per-app basis.
• Privacy Considerations: Although coarse location data is less precise, it can still provide valuable insights into a user’s location patterns. Apps that use this permission should handle the location data responsibly, ensure it is used only for the intended purpose, and not share it with third parties without explicit user consent.

Cybernews found that 30% of tested apps have this permission.

Access fine location

A dangerous permission in the Android operating system that allows the app to access the device’s precise (fine) location using sources such as GPS, GNSS (Global Navigation Satellite Systems), and other location providers.

• Purpose: Primarily to enable the app to determine the device’s precise geographical location using accurate methods such as GPS. This information allows apps to provide location-based services, navigation, and other location-dependent features.
• Implications: The `ACCESS_FINE_LOCATION` permission is considered dangerous because it grants the app access to the user’s precise location, which can pinpoint exact whereabouts with high accuracy. Misuse of this permission can lead to serious privacy violations, including unauthorized tracking of the user’s movements.
• User Consent: When an app requests access to fine location, Android prompts the user to grant or deny the permission. Users should exercise caution when granting this permission to apps that don’t have a legitimate need for accessing their precise location data.
• Best Practices for Developers: App developers should request the `ACCESS_FINE_LOCATION` permission only when it is necessary for the app’s core functionality. For example, navigation apps or location-based services like ride-sharing platforms would require this permission to function correctly. Developers should clearly explain to users why this permission is needed and how the app will use the location data.
• Scoped Access: Starting from Android 6.0 (API level 23), runtime permissions were introduced, which means users have more control over granting permissions. Apps targeting API level 23 or higher need to request this permission at runtime, and users can grant or deny it on a per-app basis.
• Privacy Considerations: Precise location data can be highly sensitive, and apps with access to fine location data should handle it with utmost care. Developers must ensure that the data is used only for the intended purpose and not misused or shared with third parties without explicit user consent.

Cybernews found that 28% of tested apps have this permission.

If you want to know more about security tips take a look at the original post on

https://cybernews.com/security/dangerous-permissions-android-health-apps/

About the author: Cybernews Team

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, health apps)