Managing Intrusive Mobile Apps - A Guide for Users

In the last decade, mobile applications have become an essential part of our daily lives due to rapid digitalisation. We use them for entertainment, productivity, socialisation and many other purposes. However, the vast majority of mobile apps available today for download are not created with their users' privacy in mind. Hence, most mobile apps are collecting and storing large amounts of unnecessary and personal information from their users. This article discusses ways that users can protect themselves from being trapped in a sticky situation by knowing how to detect intrusive mobile apps.

Understanding App Permissions

A 'permission' in an app protects the privacy of the user of the app. Every app must include an 'app manifest' that, amongst other things, lists the permissions that the app uses.

Every mobile phone has an operating system, most commonly the Android operating system (Google) or the iOS (Apple) operating system. The vast majority of mobile phones are 'Android phones' and they have two 'permissions' categories:

Normal permissions

These permissions do not directly risk the user's privacy - for example, permission to set the time zone is a normal permission. If an app lists a normal permission in its manifest, the system grants the permission automatically.

Dangerous permissions 

These permissions give the app access to the user's personal data in their mobile phone, such as contacts and SMS messages, as well as certain system features, such as the phone, microphone and camera. If dangerous permissions are requested, privacy laws do not allow the relevant personal data to be collected, used or disclosed unless the user gives explicit consent by 'accepting' the request for permission to do so.

In addition, privacy laws generally restrict 'dangerous permissions' to personal data that the app may collect, use or disclose while the user is actually using it - they do not allow apps to collect, use or disclose personal data simply because the user downloaded the app. Moreover, excessive use of permissions relative to the app's functionality and purposes may be deemed excessive.

How to look out for intrusive app

To spot an intrusive app, go to the Google Play store, visit the permissions section (view details) and look for what dangerous permissions it requires and whether they are proportional to the purposes and functions of that specific app.

For example, there are 50 apps listed that offer related Singapore MRT information on Google Play Store. Ask yourself what personal information (aka dangerous permissions) the app needs to function and give you information such as MRT routes and related information. Yet there are a few apps that require your phone status and identify, device ID and call information, camera - down to your specific location information. Is that necessary?

It would be reasonable, for example, to expect a taxi app to request access to make phone calls directly from the app or for a messaging app to get access to your location, contact list, storage so you can share your content with several recipients.

But it would be excessive for a shopping app to request permissions to directly call any phone numbers and read your call logs.  The same applies to an entertainment app if it requires access to a calendar when there is no relevance of a calendaring function to the purposes of that app.

Red flags

As a general rule, there are red flags of intrusive mobile apps that users can quickly identify in some cases. The biggest one, for instance, is if the mobile app asks its users for permissions for numerous functions i.e. camera or all phone contacts, without stating the purpose behind the need for these permissions. If a mobile app or company does not disclose to its users the purpose behind the collection and usage of the information they are accessing, generally, this implies that the mobile app is intrusive. The permissions that an app is seeking from its users should only be for functionality purposes.

As mentioned in the earlier paragraph, some of the common permissions that mobile apps ask their users for permissions is access to the camera and phone. The table below illustrates the “bad” and “good” side of granting the camera and phone access to the mobile app.

Camera

Permissions: Take pictures and videos

Phone

Permissions: Directly call any phone numbers, read call log, read phone status and identity, reroute outgoing calls, write call log

Privacy Notice of Mobile Apps

As a further precautionary measure, it is recommended consumers read the privacy notice to figure out the permissions and access that they need to give to a mobile app developer or to know how the organisation uses and stores their personal data when downloading free apps. This helps consumers to arrive at the decision to not download and use an app if the privacy notice is so complicated that they are unable to understand it or if they are worried about what it says about how the mobile app developer uses and stores their personal data.  For example, if the privacy notice states that the organisation can share all of the user’s personal data with third party ‘business partners’, this typically means they can share the app user’s personal data with anyone whenever they feel like it.

Before downloading a mobile app, consumers should think about why the app has been made available and by whom. If an app is made available by a well-known organisation to make it easier for consumers to acquire their products and services, then that makes good commercial sense. If an app is made available free of charge by an unknown organisation or for a frivolous, even if for an entertaining purpose, then consumers should proceed with care and ask themselves ‘why is this app being made available?’ and ‘How does the organisation that made it available profit from it?’. If there is no clear and logical answer, then, if it is free, you are the product! Collecting and sharing personal data about you might be the only real purpose of making the app available.  

One can upgrade one’s skill in data protection by attending courses, at the practical and operational level.

Adapted from interview with:  Kevin Shepherdson, CEO Straits Interactive - Fellow of Information Privacy, CIPM, CIPP/A, CIPP/E, CIPT, Exin (GDPR, Infosec), GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.