How often do you get a question on your Android device about whether you want to give an app access to some application or other? This little popup appears so often that many people click on “Allow” without giving it a second thought.
Do you know how many apps you have given access to your personal information? While you hope that app-owners won’t abuse this access, with accusations rife against data-hungry companies like Facebook, you can’t be too careful.
Thankfully, with a little know-how, you can take steps to secure your Android device by changing your settings manually. In this post, we explain how to do just that.
How to discover app permissions
Information on the permissions that your apps have is easy to gather. First, go to the Settings screen. Scroll down to the Device section and then tap on Apps.
The next screen lists all of the apps on your phone.
Tap on an app to see all options. Select Permissions.
Now you can see the permissions that you granted to the selected apps.
Withdrawing permissions from apps
The services on your phone that apps can gain permission to access are:
If you granted access to one of these data stores or services, you can take that permission away by tapping on the slider next to the permission category.
Each of those categories you see in the permission screen for each app is not the name of an app, but the name of a category of apps. The Android operating system includes access functions that enable independently-written utilities to access the services of the operating system. There are a number of functions that each of these categories in the Permissions screen give access to.
Giving permission to access one of these categories gives apps access to operating system functions. Android contains all apps in a “sandbox”, which is an isolated environment that keeps those apps away from the operating system. Permissions break through that security measure.
Configure app permissions
You can get another view of your app permissions through the Configure apps menu. To navigate to this location, go back to the Settings screen, tap on Apps, and then press the cog symbol in the header of the Apps screen.
This gives you the Configure apps options. Tap on App permissions to proceed.
In the App permissions screen, you will see an option that wasn’t available in the list of permissions categories that you arrived at by examining individual apps. This is the Body sensors category.
A line below each category tells you how many apps have that permission and how many apps installed on your phone could feasibly use that permission. This message is the format X of Y apps allowed where X is the number of apps with access and Y is the number of the apps with capabilities to use that category of service.
Click on one of these categories to get a list of all apps that have that permission.
Click on the slider next to a category to turn its accessibility off. All apps that have this permission will have that access removed.
Back in the Configure apps screen, scroll down to the bottom of the permissions list. You will see that the last list item is called Additional permissions.
In the Additional permissions screen you will see four options:
- Car information
- Read email attachments
- Read instant messages
- Write instant messages
If you tap on an option that lists the number of apps that apply to that category as 0 of 0, the resulting screen will simply read No permissions. If any of those categories could be used by at least one app on your phone, tapping on that category would lead to an app list that gives you the option of turning each use off with a slider.
Deny app access to system settings
Although this guide is focused on “app permissions,” the task of securing your phone would not be complete without checking on the system settings that apps are allowed access to. You can view these settings via the Configure apps screen.
Tap on Modify system settings to proceed. The next screen shows every app installed on your phone with a message that tells you whether it can modify system settings.
Tap on one of these apps to see a slider that enables you to block the app from accessing system settings.
The idea of letting apps access your system is worrying. It is difficult to understand which settings each app needs because they are itemized on the screens. There is no “Settings” page that provides details.
Malware can masquerade as a genuine app. You might click on Allow to a permissions demand without realizing that the app name that seems genuine is really an illegal app that contains a deceptive function. Such a malicious app can detect the apps that you want to open and then overlay them, mimicking the real app.
These types of apps are designed to gather authentication credentials for real online services. They can achieve this goal by making sure that the fake app covers the real version that you opened.
In order to perform this trick, the malware app needs to achieve the status of always being on top of all open apps. You can turn off this capability. Go back to the Configure apps screen.
Tap on Draw over other apps to see which apps can overlay the screen. In the following list, you will see each installed app and whether it can overlay others.
To remove this permission, tap on an app that has the permission that you want to remove. This will take you to a screen in which you can turn the permission off with a slider.
App permission consequences
Now let’s take a look at some of the categories that apps might ask for access to. The consequences of granting access can be very damaging.
If you allow a new app to access SMS, that new utility will be able to access MMS messaging systems as well as any SMS app you have on your phone, not just the one default SMS tool that comes with the Android operating system.
Furthermore, an app with permission to access SMS will be able to read all of the messages you have stored in your SMS apps. It will also be able to intercept and read (and possibly alter) incoming messages and it will even be allowed to send out SMS messages from your phone.
Phone call permissions
The permission to access any communication service on your phone is a gift to any malware that wants to replicate itself by sending out Trojan programs to your Contacts list. If the worm can send those infections out from your Phone number, the hacker that wrote the original virus saves a lot of money and also hides his identity.
A malicious money-making app with permission to access your phone’s call functions can rack up your bill and make a ton of money for its owner by making repeated calls to premium numbers owned by the hacker.
Apps that have the permission to access your camera can take screenshots of your activities, take photos and videos of you and your friends, and send those images and video files back to the writer of the app.
Similarly, if an app has access to your microphone, any recording tool on your phone can be manipulated to record you without your knowledge.
The location feature on your phone can tell burglars when you are away from your home and can tell the owners of location-restricted websites and services that you are outside of their operating area so they can block you.
Operating system and storage permissions
Giving an app permission to access your storage allows data thieves to steal your information. It also opens the door to ransomware that can encrypt all of the files on your device and make them inaccessible until you pay for the decryption key.
Allowing an app to gain control of system settings could mean you lose access to your phone.
Turn off location services completely
On Android, the only way you can turn off access permissions is on a per app basis, as described above. This is the case with all categories except for the Location services of your phone. These can be turned off completely.
Turning off location services defeats geo-restricted websites that try to block your access from other countries. You can bypass their restrictions by using a VPN. However, many sites also check your location in the operating system and that defeats that masking action of the VPN because it gives away your real location.
The strategy of turning off location services completely doesn’t always work to get you into overseas websites. For example, even if you have a VPN operating, the YouTube TV site won’t give you access unless it can also check your phone’s location. You also lose the benefit of being able to track your progress along a route in a web map service.
However, if you want to turn off the location services on your Android phone, go to the Settings screen, scroll down to the Personal section, and tap on Location.
Click on the slider at the top of the Location screen.
Android permission problems
An example of a malware nightmare that will ruin your phone if you allow it to access the system is the Loapi Trojan, which Kaspersky Labs spotted towards the end of 2017. This malware is advertised as an antivirus utility or an adult content app. Once it is installed, the app will constantly demand permission to access the system. It will repeat the demand over and over again until you tap on Allow. You restart your phone to try to turn the app off, but that won’t work. When your phone starts up again, the first thing you will see is that demand for access.
The Loapi Trojan has a wide range of malicious functions. These include:
- Launching DDoS attacks on command on other internet-connected devices
- Cryptocurrency mining
- Frantic web page access to bump up income from recorded visits
The design of the Trojan enables its controller to load up new attacks on your phone at will. So this is a backdoor that will allow a constant stream of attacks to download onto your phone.
When investigating this Trojan, Kaspersky Labs loaded it onto a smartphone. Within two days, the excessive processing caused by the virus caused the device’s battery to bloat and the phone’s cover to warp. Basically, if you unintentionally download Loapi, you might as well throw your phone away.
The Trojan’s antivirus sweep will detect other antivirus programs running on your phone and alert you to allow removal of those programs, which Loapi falsely labels as malware. Again, the app will not take Deny for an answer. The prompt to allow the removal of those programs will not stop until you tap on Allow.
If you have Loapi on your phone, you might try all of the steps outlined in this guide to remove its permissions. However, the defense mechanisms of this malware suite will lock the phone and shut down the settings screens, making it impossible for you to revoke its access rights. This vicious app is just one example of malware that will render your phone unusable.
A more recent example of problematic malware is Joker malware. This family of malicious apps has been attacking Android users since 2016. Media outlets reported in 2020 that the malware had infected many different apps. The malware returned in 2021, updated, targeting millions of Android users. Joker malware is now so widespread that cybersecurity firm Zscaler has created a dedicated team to research the threat.
Joker’s apps are knockoffs of legitimate apps. When you download them from Play or a different market, the app contains no malicious code other than a ‘dropper. After a delay of some hours or even days, the dropper then downloads a malicious component and then drops it into the app. Apps recently found hiding Joker malware include:
- Free Affluent Message
- PDF Photo Scanner
- delux Keyboard
- Comply QR Scanner
- PDF Converter Scanner
- Font Style Keyboard
- Translate Free
- Saying Message
- Private Message
- Read Scanner
- Print Scanner
When you download an infected app, this tricks the Android notification system by asking for permission to read all notifications. Once you grant this permission, it hides all notifications of malicious behavior. Since these notifications are hidden, criminals can:
- Steal personal information
- Access and copy your contact list
- Monitor your text messages
- Sign you up for fraudulent services
- Send text messages to premium numbers
If you have downloaded any of the apps listed above, you should immediately uninstall them. To find and delete apps on Android, follow these steps:
- Open the Google Play Store app
- At the top right, tap the profile icon
- Tap Manage apps & devices and then Installed
- Go through the list of displayed applications
- Next to the app you want to remove, tap Uninstall
It’s time to take back control of your Android device. You need to adjust all of those permissions and tighten up the security of your phone.
Be very careful about where you get your apps from. Never respond to spam SMS messages and avoid following links in web pages while using your phone. You also need to make a vow to pay attention to those permission notifications and select Deny unless there is a very good reason to tap on Allow. If an app won’t work without those permissions, you may want to consider uninstalling it.