Wednesday, November 28, 2012

The Audacity of Your Flashlight App

I've been taking a closer look at my mobile apps lately, specifically the permissions they request when downloading and installing them.  It has been quite an eye opener.  It turns out that mobile apps are invading our privacy.  It's as simple as this: any app that can read your contacts and access the Internet can slurp your data and send it off to some random server to be stored and/or used in a nefarious way.

The finding that surprised me the most was the audacity of my little old flashlight app.  I was using "Tiny Flashlight + LED", which is allowed to read your phone identity and have full Internet access.  A flashlight app that needs Internet access is nonsensical to me.  I switched to use OI Flashlight, which requires only the permissions of camera control and preventing the device from sleeping.  I discovered during my research that most flashlight apps want Internet access.  The top 4 flashlight apps that appear when searching for "flashlight" on Google Play are:

  1. Tiny Flashlight + LED
  2. Brightest Flashlight Free
  3. Flashlight
  4. Color Flashlight
All four require Internet connectivity!  However, the winner of the most inappropriate and egregious permissions contest is "Brightest Flashlight Free" by Goldenshores Technologies, LLC.  This popular app (over 10 million downloads) requires the following permissions:
  • full Internet access
  • your location (both coarse and fine)
  • modify your SD card contents
  • read your phone identity
Can you think of a reason a flashlight app needs to know your current location or modify the data on your SD card?  I can't either.

2 comments:

Anonymous,  11/29/2012 6:16 AM  

Thanks for this!! I knew when I installed Brightest Flashlight that the perms were stupid but I was too lazy to go look for something else. Thanks for the reminder.

Anonymous,  1/03/2013 8:11 AM  

Thanks for the interesting post.

Yeah, I also use "Brightest Flashlight Free". :-) I also noticed the expansive access it requested when I installed it.

If you read the seller's description, he/she points out that the install also stands up an application to access some search engine - which clearly generates income for the author. The author also specifically says how to delete the search application and that doing so will not impact the flashlight function.

My guess is that the Internet Access, Location and Phone Identity are part of the search application. My guess is also that the SD card access is for some functionality of the search application (which I deleted right away, so I don't know how it works.) I just checked, and unless it's hidden, the app has written nothing to my SD card.

I do wish Google would give us the ability to selectively deny some permissions but still install an application. Of course, doing so would be a support nightmare for the application vendors and would cut the legs out from under their various advertising/monetization schemes. So I imagine we'll never see that feature.

If you root your phone, there's at least one app which will allow you to adjust what an application has permission to do:
https://play.google.com/store/apps/details?id=com.stericson.permissions.donate

But apparently you have to root your phone to be able to change this. :-(

I wonder how the iPhone handles this?

Looking forward to your talk in Denver.

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP