ThePew Research Center on Tuesday released a report on permissions and mobile applications found in the Google Play store.
The number of permissions requested by a mobile app can be a deal breaker for six out of 10 smartphone users, Pew found.
Applications request permission from users to access a variety of functions on a smartphone — accessing the Internet, for example, or using the device’s camera.
Most apps can’t function without permissions, but a good number of them also personal gather data about users, Pew said.
“Everyone knows you have to have permissions,” said Bob O’Donnell, chief analyst atTechnalysis Research.
“It’s a good thing,” he told TechNewsWorld. “In the early days of Android apps, they didn’t ask for permissions. That was bad.”
Sixty percent of app downloaders chose not to install an app after they discovered the amount of personal information it asked for, according to the report, which includes findings from a survey taken earlier this year.
Nearly half of those participating in the survey (43 percent) said they’d uninstalled an app after finding out its appetite for personal information.
Ninety percent of downloaders noted that how their personal data will be used is very or somewhat important to them when deciding whether to download an app, while 57 percent had similar sentiments about the number of times an app has been downloaded, surveyors learned.
“I think there’s a general assumption by many in the security community that users tend to ignore warnings and click through them and don’t take them very seriously,” said Maxim Weinstein, a security advisor withSophos.
“The fact that 60 percent of people have actually made the decision not to download an app based on the permissions requested is, to me, an encouraging sign,” he told TechNewsWorld.
Many Permissions, Few Used Often
Pew’s report is based on a study of more than 1 million Android apps in the Google Play store in 2014. Applications can seek some 235 unique permissions, with the average app asking for five permissions.
Of the 235 permissions, 70 percent were for accessing hardware functions, while 30 percent wanted to access some kind of personal information on the phone, Pew noted.
The most popular permission sought was for Internet access, the report said.
Only a few permissions are used commonly, said Aaron Smith, Pew’s associate director of research.
“There are only 15 or 20 permissions that are commonly used in a meaningful sense,” he told TechNewsWorld. “The overall universe is large, but the universe of permissions used on a regular basis is quite small.”
As far as risk to consumers is concerned, though, all permissions aren’t created equal.
“One permission to access all your user data is a lot worse from a privacy or security perspective than 10 permissions for various hardware features,” observed Technalysis’ O’Donnell.
On the other hand, permission bloat in an app isn’t always nefarious.
“Sometimes developers, out of laziness or a mistake, forget to remove things in apps meant for debugging or write code in a convoluted way than requires access to something it doesn’t need to accomplish what it wants to do,” said Sophos‘ Weinstein.
“When you’re developing, a lot of times it’s easier to ask for a lot of permissions than try to figure out exactly what permissions you need,” said Ben Johnson, chief security strategist atBit9 + Carbon Black.
“For the most part, I don’t believe there’s any malicious intent or intent to spy,” he told TechNewsWorld.
Few Apps Hit Mother Lode
Of the more than 1 million apps studied, almost half have been downloaded fewer than 500 times; 90 percent have been downloaded fewer than 50,000 times, Pew found.
“So there’s this enormous number of very, very niche apps that have only a very small number of downloads,” Pew’s Smith said.
On the other hand, there were some big hits in Google Play, too. Eleven apps had been downloaded more than 500 million times.
“There’s an interesting distinction between the long tail and fat head of the app ecosystem,” Smith added.
How significant is the risk to consumers posed by permissions?
“Permissions add on to other problems,” said James Pleger, head of research atRiskIQ.
“Permissions by themselves aren’t a risk, but they are when you couple them with installation of unknown software and privacy,” he told TechNewsWorld.
“The privacy issues are probably more problematic than the security issues,” Pleger continued. “Certain applications collect more data than they should. That, to me, is a bigger issue than some of the security issues because all of a sudden you have an application spying on all your personal data.”