As mentioned in our previous article on the subject, every Android user sooner or later encounters a similar prompt:
This prompt is displayed whenever an app requests a permission that is part of a group of permissions that Google classifies as the “dangerous permissions group”. There is a total of nine dangerous permissions: BODY SENSORS, CALENDAR, CAMERA, CONTACTS, LOCATION, MICROPHONE, PHONE, SMS, STORAGE.
For some apps it is normal and expected to request some of these permissions. For example, an app like Messenger or Skype needs access to the device’s microphone and camera in order for all of its features to function normally.
On the other hand, a single player game for example, asking for the same permissions should raise a red flag, as they should not be necessary.
Android allows apps to request permissions individually and on-demand, that is, the first time they are required. However, some developers can still request all permissions at once, taking advantage of users’ habit of directly accepting any permissions/allowing any prompts presented to them. That way they can sneak in technically unnecessary permissions with possibly malicious intent.
More exploitable permissions
While the aforementioned dangerous permissions have the potential to cause more harm, there are many other permissions that exist in Android that are automatically granted to the app without any user prompts. Most of them are benign, however, there are some of them that can be exploited to an extent and/or can be considered a privacy concern.
We have selected a total of sixteen (16) permissions that we consider “suspicious”. This is not an official classification by Google, it is what we at VS Revo Group deem sufficiently exploitable to require user attention.
These are the permissions in question: BLUETOOTH, Wi-Fi, NETWORK, MODIFY AUDIO, NFC, WORK BACKGROUND, IR, BIOMETRICS, VIBRATION, INN-APP PURCHASE, SEND SMS, RECORD AUDIO, PHONE CALL, PRECISE LOCATION, ALERT WINDOW, READ/WRITE SETTINGS.
Please note that, outside of Revo Permission Analyzer, the only location where users can check which of those additional permissions (not counting the “dangerous” ones) an app uses, is that app’s page in Google Play. These additional permissions are not even listed in Android.
To illustrate, below is a comparison between the Settings app in Android (on the left) and Revo Permission Analyzer (on the right). Both list the dangerous CAMERA and STORAGE permissions, however, only Revo Permission Analyzer lists the additional WI-FI, NETWORK, VIBRATION, and OTHERS.
Another important thing to remember is that all additional permissions can only be viewed, they cannot be changed. Users agree to them automatically by simply installing apps.
Our solution
Revo Permission Analyzer now includes a new feature called PERMISSION ANALYZER, which can be used to filter all installed apps based on selected permissions.
You can download Revo Permission Analyzer from the Google Play store:
https://play.google.com/store/apps/details?id=com.vsrevogroup.revoapppermissions
After you launch the app, tap the PERMISSION ANALYZER button in the bottom left corner, or open the main/drawer menu, and tap PERMISSION ANALYZER.
You will see a table with all permissions that you can toggle. If you are using the free version of Revo Permission Analyzer, you will be able to filter using only six categories (CALENDAR, CAMERA, CONTACTS, LOCATION, MICROPHONE, and PHONE). The remaining three dangerous permissions, as well as all sixteen suspicious permissions, require the PRO version.
As you toggle different permission categories, Revo Permission Analyzer will dynamically filter all installed apps that use the selected permissions.
For example, you can select both the IN-APP PURCHASE and SEND SMS permissions to see which apps can have a financial impact if a child uses a device that has a saved credit or debit card, and is prompted to make a purchase; or apps that may send special SMS messages that may cost more than regular ones.
Another example. You can select BLUETOOTH, NETWORK, and NFC to find all apps that can make a connection to other devices and transmit potentially sensitive data.
Based on the number of filtered apps, Revo Uninstaller Mobile will display a certain number of app icons at the bottom. The icons are randomly selected from the filtered apps.
To view the filtered apps, tap the icon row at the bottom. You will be presented with another table with all apps that use the permissions you selected.
There you can select an app to view all of the permission it uses. First in the list are the dangerous permissions, followed by the ones we have classified as suspicious (beneath the “ALL PERMISSIONS BELOW ARE BUILT-IN” text).
The dangerous permissions listed are all that the app uses in general. The permissions that the app has requested and are active have a checkmark. The permissions the app uses but have not yet been requested (and granted by the user) do not have a checkmark.
We would like to remind you that only dangerous permissions can be changed. All other permissions can only be viewed. This is not a shortcoming of Revo Permission Analyzer, but a restriction imposed by Android itself.
To Wrap Up
App permissions on Android should not be taken lightly, as they can pose a real risk to one’s security and/or privacy. Knowing in advance which app has the potential to leak private information or surprise you with a purchase request, can incentivize users to switch to a different, safer app, which is beneficial in the long term.
Android already provides means to control dangerous apps, however, it offers no information about all additional permissions, outside of the “dangerous nine”, and its organizational and filtering functionality is severely lacking.
This is where Revo Permission Analyzer comes into play. It does not have its own control over the dangerous permissions, and instead uses Android, as that is a built-in restriction of the operating system, but it does offer a superior overview of all permissions, with intuitive and flexible filtering, to allow users to quickly and efficiently assess the status of their device and apps.
You can download and install Revo Permission Analyzer from the Google Play Store:
https://play.google.com/store/apps/details?id=com.vsrevogroup.revoapppermissions