Prague, Czech Republic, September 10, 2019 – Avast [LSE: AVST], a global leader in digital security products, has found that Android flashlight applications request an average of 25 permissions. Using apklab.io, Avast’s mobile threat intelligence platform, Avast analyzed the permissions requested by 937 flashlight apps that either once made it onto the Google Play Store or are still available on the Store. Out of these, 408 request 10 permissions or less, 267 request between 11 and 49 permissions, and 262 apps request between 50 and 77 permissions.
Apps taking their right to request permissions too far
Applications can request permissions to access data or features on devices they need in order to function properly. For example, a flashlight application needs access to the phone’s flash in order to use it as a flashlight. However, many applications request access to more permissions than they actually need.
“Some of the permissions requested by the flashlight applications we looked into are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do,” says Luis Corrons, Security Evangelist at Avast. “The flashlight apps we looked into are just an example of how even the simplest apps can access personal data, and it’s often not just the app developers that gain access to data when users download an app, but the ad partners they work with to monetize. Developer privacy policies are unfortunately not inclusive, as in many cases, further privacy policies from third-parties are linked within them.”
Top 10 of apps active on Google Play requesting most permissions
No. |
App Name |
Permissions count |
Number of downloads |
1 |
77 |
100,000 |
|
2 |
77 |
100,000 |
|
3 |
76 |
1,000,000 |
|
4 |
76 |
100,000 |
|
5 |
76 |
100,000 |
|
6 |
74 |
1,000,000 |
|
7 |
71 |
1,000,000 |
|
8 |
70 |
500,000 |
|
9 |
68 |
1,000,000 |
|
10 |
68 |
500,000 |
Permissions in a gray area
There is a gray area when it comes to flagging apps requesting too many permissions as malicious or potentially unwanted, as users themselves grant the permissions, which is why many security solutions do not mark them as malicious. Apps can request outlandish permissions, but that does not mean they carry out malicious activities, per se. When a user installs an app, they grant the app and any third-parties associated with it, the right to carry out actions the app lists in the permissions section. App developers often integrate ad software development kits (SDKs) into their code to earn money from advertisers. To allow these SDKs to target users with ads, the apps request countless amounts permissions.
It is therefore imperative that users carefully check the permissions an app requests, before installing the app. Furthermore, users should carefully read the privacy policies and terms and conditions, as well as user reviews on the app’s download page.
A full analysis of the flashlight apps can be found on the Avast Decoded blog.