Last weekend, I was doing some work around the house and needed a flashlight. I cursed having to get up and get one from the closet when my daughter said, "Use the flashlight app, Dad." Then we discovered that my Android phone doesn't have a built-in light. This, of course, led me to look for an app and spend much more time than getting off my lazy butt and getting a flashlight would have. Hey, this is the age of mobile convenience, and now that I have an app, I won't ever be flashlight-less again! All a very worthwhile exercise – a great light that is handy and brighter than many real ones I have owned. All of this leads up to my diatribe on app permissions... Ready, set, go! I don't have an exact count, but using the Google App Store, a search returns about 30 flashlight apps. Now, how do you pick one? This is a simple app, so maybe the answer should be simple. Cheapest? Best rated? Most downloads? A developer/vendor you recognize? All of those are decent criteria, and I use them as part of my decision process when looking at apps to download. But I think the best ways to filter your app choices is to look at the permissions required and ask "Why?" for each one. Is the permission required to do the job? Is it one that is necessary because there isn't a finer grained permission (access to camera and storage required just to turn on the flash)? Or is it there to serve the app and its author (ads and/or feedback)? Or could it be malicious? The first of the flashlight apps I looked at clearly wanted more permissions than one should need or be willing to give a simple flashlight. Almost all of the apps I looked at wanted network access, supposedly to display ads, but clearly once granted network access, it is a matter of trust that the app doesn't send personal data. Some want access to read phone status and identity, which is not anything I can rationalize for a flashlight. And even if that was a reasonable request so the app could monitor power consumption, why would it also need full network access or to modify system settings? This is a flashlight app we are talking about, isn't it? Another concern raised here is the fact that app updates can change the permissions required, and in the case of auto-updates, the average user will never know the change happened. Users get notified of when new permission groups are added, but fine-grained permissions within a group can change without notification. That means that even when I make good choices, a patient attacker could get a decent number of downloads before the app is updated with new permissions and "features." But going too far down that road might lead to paranoia and sanitariums.
After Researching a few of these apps, I finally came across Privacy Flashlight that only requires access to the camera and the flashlight (research dependency between two permissions) that also satisfied my other concerns:
- Good reviews and a decent quantity of them
- A developer I could research and am satisfied isn't a criminal
- A decent user base
- Free is a very good price (all flashlight apps were free, so that wasn't a deciding factor, but there are good reasons to avoid free apps – like they are more likely to contain ads and that can raise privacy concerns)
For me, the hardest part was not choosing the first flashlight app that came up: Brightest Flashlight Free. (I hesitate to even link to the app, but this is the web). This is in spite of my focus on security and software as a profession, I was more interested initially in convenience and almost chose an app that uses an insane number of permissions[i] and appears, on a closer look, to track its users and do other little bits of nastiness (at least according to the large number of angry "customer" reviews). I included in the image above some of the permissions that caught my attention. It requires a total of 8 permission groups, including Wi-Fi connection information, your location, and full network access. I have to postulate that this is a good way to get crimeware installed and bury the attack in an innocuous app that no-one will think about installing. This has, after all, happened before with flashlight apps. I mean I am going to bet that some (not all or even a majority of) people will make sure their banking app comes from the bank and that high-value apps get a review of permissions. OK, I am not going to bet that, but I can dream, right? I am reasonably aware of the issues around phone apps and security, but the trap of ease of use almost caught me. How can I expect non-professionals to even consider the security aspects of their choices when the whole mode of mobile app installation is oriented to make it quick and easy? What I would like to see in "app stores" is more prominent placement of the security concerns around installing apps and guidance to help consumers make informed decisions about the permissions required for each app – maybe a table that lays out features and required permission. In addition, there have been attempts by Google to help, such as the App Ops feature in 4.3 that got removed. As of Android 6.0 (Marshmallow), you can set permissions on a per-app basis and deny permissions that apps request. All is not lost, but people should learn about this feature and learn to use it once it's available on their device. The lesson for me here was to slow down and pay attention to the details when adding apps to my mobile devices. Think about one of my first statements "...now that I have an app, I won't ever be flashlight-less again!" – because I always have my phone! These devices are always on and are way more personal than my desktop or laptop, yet we still don't think of them as all that important. I am more likely to search the web with it than I am to wake up my computer and ... wait ... for it to load. It is the best privacy invasion device ever made, for you choose to carry it everywhere and volunteer information just by having the phone. This is true before you even install one of these over-privileged apps. We need to treat mobile devices like the crown jewels that they are and provide end users the secure experience to go along with ease of use.
Footnotes
[i] The actual list of permissions required for Brightest Flashlight Free
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
