Security & Privacy

Why App Permissions on Androids are so Much Sloppier than iPhones

Posted on by

Android vs iOS
The Mac Security Blog from Intego is (surprise surprise…) a particularly popular read for those who own Apple Macs and MacBooks, and are keen to know how to keep their treasured devices safe and secure.

But we’re not blinkered enough to think that some of you might not have been lured to “the other side” and bought an Android smartphone or tablet, rather than an iPhone or iPad, to run alongside your Cupertino-designed desktops and laptops.

However, whether you have chosen to stay loyal to Apple, or are the proud owner of an Android, if you’re interested in security and privacy you should be aware of the different approaches taken by the two warring operating systems.

Leo Mirani, a reporter with Quartz, has described the different approaches taken by Apple and Google when it came to giving users greater control over what personal information is shared with mobile apps.

The difference can perhaps be most immediately explained by showing you the following screenshot, posted on Twitter, of what one Android user saw when he updated a Canadian banking app on his tablet:

Should a banking app *really* need access to your location, your camera, or a list of what other apps you might be running?

Well, I can see such behaviour making many people nervous. At the same time, I imagine it could be argued that knowing a device’s GPS location might help stem fraud if the device fell into the wrong hands, and that a camera might be handy if you needed to take a snapshot of a cheque, and seeing what other apps are running might help harden security against malware and poorly-written code.

Similarly, at first you might imagine that a banking app being able to access your address book is creepy behaviour, but it could be handy if you wanted to fill in forms to make payments to friends and family more easily. And maybe even a bank app might have a legitimate reason to make phone calls if, say, it offered the ability to speak directly to the bank’s support team.

So, it *is* possible to argue that this Android banking app might have a legitimate reason to interact with these different parts of your phone, but the fundamental problem is this:

  • The app doesn’t tell you WHY it needs each of these permissions
  • The app doesn’t let you CHOOSE which of the permissions you wish to grant, and which you wish to decline. It’s all or nothing.
  • You only get informed of the permissions the app requires at install time. After that, you’re left in the dark as to what it is doing as you have already granted permission.

In short, it’s no surprise that some Android users feel a little uneasy when they install an app – even if it’s from the official Google Play store.

Now, lets compare with how Apple handles the same kind of issue.

As Leo Mirani explains, Apple doesn’t trouble the user at the point of app installation with any gobbledygook about permissions.

“On its mobile operating system, iOS, apps don’t ask permission when they’re installed. Instead, iOS takes some permissions as a given—internet access for instance—but for more sensitive data, such as your photos or location, the app has to ask for access when you use it. That more closely relates the decision to grant access to the reason for asking for it.”

On iOS, to use certain permissions—specifically to access GPS location services, Calendars, Contacts, Photos, Reminders, Bluetooth, Microphone, Motion Activity, or your Twitter or Facebook account—the app will need to request your permission when it is first required.

iOS app requesting location access

In this way, iOS gives the user greater choice about what permissions they want to give an app, and which they don’t.

It’s not the “all-or-nothing” approach of Android permissions. That’s good news for iPhone users, who no doubt are enjoying crowing at the misfortune of their Android cousins.

Well, it looks like there will be more reasons to cheer if you went the iOS route soon. Because a new version of iOS is coming.

What I’m particularly pleased to see is that Apple doesn’t appear to be resting on its laurels, but is actually working on improving app permissions in iOS 8.

As app designer Luis Abreu explains, the next major version of iOS—due later this year—will see apps not just requesting your permission, but they’ll also *explain* why they are asking for it.

iOS camera permission

You will be able to easily choose if you want an app to carry on monitoring your location, even when you aren’t using the app.

Location in the background

And the operating system is clearly going to great efforts to keep users informed of what is happening on their iOS device, even using a double-height status bar to tell you if an app is using your location.

Location in the background

These, and other privacy updates coming in iOS 8, are detailed in Abreu’s blog post.

None of this, of course, means that iOS apps are necessarily safe and trouble-free. It will still be possible for mischief-makers and the incompetent to create iOS apps that are sloppy with how they access and store your data, and what they might do with it.

But at least Apple appears to be putting the right tools in the hands of its users, allowing them to make simple decisions that will help them keep their private information out of harm’s way.

And don’t forget – if at any point you decide that you want to review or change an app’s permissions, it’s easy to make a change on iOS.

Simply go to Settings / Privacy, and you will be able to see what apps you have granted access to which services (and revoke their rights if you wish).

Privacy settings

If you haven’t done so recently, I recommend you check that iOS setting right now. Who knows, you might be surprised by what you find.

After all, you don’t want your Android-loving friends to have the last laugh do you?

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →