Compounding concern and creating more privacy risk is the fact that Android operates in an all-or-nothing permission fashion, where users accept the entire laundry list of requested permissions or the app cannot be downloaded. This model likely has more users putting less scrutiny on permissions to achieve that instant app gratification.
Zscaler analysed more than 75,000 apps from the Google Play store in order to determine the permissions that are commonly requested by the apps at the time of installation. There were many interesting and revealing findings, which can be seen in the full research report. Two of the most compelling findings were:
68% of apps that request SMS permissions ask for the ability to send SMS messages. With most Android malware currently targeting premium SMS fraud, this is concerning, especially as users tend to indiscriminately accept requested permissions without scrutinising whether or not they’re truly needed.
28% of apps with SMS permissions also request read SMS access. This is somewhat unsettling as an increasing number of apps/services send codes via SMS for mobile banking or two factor authentication.
Android is based on a permission system, and each permission represents a given task. Applications can request required permissions and also define new permissions. For example, an application may declare that it requires access to the Internet. Android permissions cannot be denied or granted after installation. An Android application declares the required permissions in its AndroidManifest.xml configuration file.
For this research report, Zscaler focused on some of the more dangerous permissions, which allow apps to access a user’s personal information and grant access to functionality such as SMS, the address book etc.
Below is the list of the permissions which we consider to be higher risk permissions:
SMS related permissions
GPS related permissions
Phone call related permissions
Personal information related permissions
Address book related permissions
Device information related permissions