Mobile App Security

     While installing an app for a car parts look up service, the app asked for permission to access videos, photos, GPS location, and other data not relevant to looking up parts for a car. Now, the app did have a nice feature, which allows a person to scan the barcode or VIN on their car instead of entering data manually, but this only requires access to the camera and photos. Yes, GPS can be helpful in determining market and pricing, but that information can be determined by access point or entered manually. What really shows intent by the company, is the fact that the app wouldn't start after denying it the vast array of permissions it wanted.

     These days, mobile users need to be wary of apps wanting free reign of their stored data. Phones are used for health services access, banking, and other private activities that place the data under protection of Federal Laws. I've denied many apps their permissions but none of them refused to start, except this one. If the app actually needs the permission, it will ask again when it needs it. But an app that demands free reign of your phone's data for all or nothing service is suspect in many ways. I may just install that app on an older phone and see exactly what it does with that access it demands.

     One would hope developers would learn to code within security bounds, not just for the good of the user, but for the good of the company. If that app with far reaching permissions is hacked, then that company is liable for the personally identifiable data that is stolen. Critical financial and health data is federally protected. I don't understand why a company would want to be vulnerable when the phone's permissions are there to protect them as well.

     Because of this app, I've started a page on this site dedicated to advising users about which apps ask for more permissions than needed. This brings up an important security issue for users. If you don't think an app needs the permissions it requests, deny the permission. It will usually ask again if it truly needs it. If it won't, then you need to uninstall the app and find another app--or use a website instead.

     Many app developers have developed their apps with user and company security in mind, not asking for more permissions than the app actually needs to function well. But there are still many apps which, following procedure of 10 years ago, just automatically ask for everything. Protect yourself and don't use those apps.