We download and install a lot of applications on our phones. While doing that, have we even taken a glimpse of the app permissions they are requesting? Most of us would probably say no just because we don’t have the time to read all of it and accept everything they ask from us. But, what we don’t realise is that not reading these permissions may end up hurting us in ways we don’t expect.
According to Pixalate’s Mobile Ad Supply Chain: App Safety & Consumer Data Privacy Report (Q3 2020), 70 per cent of apps on the Google Play Store request access to one or more ‘dangerous permissions’, such as precise location, camera, microphone, and more. This represents a 5 per cent rise from the same survey’s 2019 results.
Alvin Toh, Co-Founder of Straits Interactive, believes that it is more critical than ever for consumers to be aware of what a ‘dangerous permission’ entails and understand their own role in safeguarding personal data.
Alvin mentioned that among the top 100 apps in Malaysia, a high percentage of the apps could potentially violate the data protection act. The reason is that most of them never have a proper declaration as to why they are collecting data.
“Under the data protection act, you must declare why you are collecting data; you must get consent, give notice and give purpose,” explained Alvin.
In the financial industry, Straits Interactive found out that while international banking apps may require 2 permissions, the local bank would require 10 permissions, such as reading your SMS, looking at your calendar, access to your gallery and your location, but they never explain why they need it. This can be dangerous because people can start tracking your data without your consent.
Gallery and location are the two permissions that most people are wondering, “why do applications need it?” Despite that, Straits Interactive also wonders why they need to have access to the user’s calendar. Alvin mentioned that the reason is that the app developer ticked all the options available into what data/permission they can request from the users when creating the app.
That is why in many cases, Alvin said companies who contract these third parties are not aware of these permissions they are getting and end up storing personal data that are not necessary for their business function. If they are not careful, such mobile app permission requests could bring negative consequences to individuals and even businesses.
Alvin explained further in the following video:
Additionally, Alvin continued that what Google Play Store and Apple App Store have now done is provide a “layered notice”. They have put safeguards within the app notifying users that a particular app will access their camera or location. So, if the permission seems “intrusive”, this safeguard will be able to warn users.
“Spotting intrusive mobile apps is not so easy and this is why these app stores themselves now have this gate. If there are intrusive permissions like camera, voice, SMS communications, it will prompt you. The second part proactively you can do is use a mobile app scanner, of which there are many in the market,” he advised.
Alvin gave a scenario where credit card companies have misused personal data with their promotions. He mentioned that users who registered for one promotion started to receive other promotions elsewhere, like from photo studios, massage companies, and many more – and we wonder, how do they get our data?
Often, people who run these promotions sell their database to other third parties. Hence, Alvin said, “You have to be careful with these kinds of promotions. Lucky draws are very famous for this. You submit your data one time and then subsequently they sell it to six vendors.”
For individuals, it is important to understand the data privacy and protection policies to safeguard your data. He said to look out for why they are collecting your data and with the consent of what they are going to do with it. As for the companies, make sure that you have a standard operating procedure (SOP) of how you collect, use, disclose and store data.
At the end of the day, Alvin said people should be more aware of application security and data privacy and not just agree to every request because, in the worst-case scenario, cybercriminals could use the data to commit fraud or various types of crime.