Knowing when to be concerned over application permissions — and when not to be — is tricky and important
We've all heard about bad apps that steal your valuable data and ship it off overseas, and those discussions always end with one thing -- someone says you need to read an app's permissions before you install it. Well that's fine, but there is a small problem -- what the heck do those permissions mean? System tools — automatically start at boot is easy enough to decipher and understand why it's needed, but what about Your personal information — read contact data? Hit the break, and we'll try to figure some of these out together.
Remember, this list isn't 100 percent complete. For a complete in-depth list we're going to need a guest writer from Google to write it. The permissions system is micro-managed, with nuances only Google will ever fully understand, so I won't try. We can talk about a few of them that we do understand to give you an idea why they aren't always as scary as they sound, and why some apps need some of them.
Services that cost you money — directly call phone numbers
Warn me that something is going to cost me money, and you have my attention. But some apps need to make phone calls. Dialer replacements, Google Voice, anything tied to your phone dialer -- these types of apps have to have this permission. On the other hand, a ringtone app doesn't. You will want to look for this one, and if the app in question has no business setting up a phone call, be suspicious.
Services that cost you money —receive and send SMS or MMS
Again with the costing me money. And subscription SMS services are everywhere, so this is one to keep an eye on. SMS apps Handcent or Chomp will need this, that makes sense, but what about an app that allows you to edit or take a picture and send it to a friend? Yep, it's going to need to send MMS messages, too. Same with something like a Mr. T soundboard (I pity the fool!) that lets you send a sound byte. If an app is set up for you to share media, you might see this one listed as one of it's permissions. If it's not, think twice about installing it.
Your personal information — read your contacts
More scary sounding permissions, but let's think for a minute here. Of course any messaging app is going to need this, that makes sense. But a home screen contacts widget will need this, too. As will apps like Twitter or Foursquare, so you can share tweets or check-in information over e-mail or SMS. If an app doesn't have any social aspect, there's no need for this permission.
Your personal information — read calendar events
Used too often for my tastes, few apps outside of PIM or task management apps need this one. If you come across it, carefully consider why the app would need to read (let alone write) to your calendar. Most don't.
Phone calls -- read phone status and identity
The most abused, and least understood permission of them all. Some apps need to know if your phone is about to ring. Maybe they need to save state (ie freeze what they're doing) for when the incoming call screen pops up, or they need to turn over audio control back to the OS. But this is also the one that can read, and send your IMEI and other identifying information back to some random server on the Internet. Often, these unique numbers are needed as piracy control, or to keep track of you without using any more sensitive personal information. The issue is when developers use these numbers for things like remembering your preferences for online services or app history. Remember the big wallpaper app scare? After some investigation, we learned the developer was using your device ID to keep track of your favorite wallpapers on his servers. Seemingly harmless, but not the right way to handle it. My only advice here is to be sure you trust the developers of the app when you see this one. Or take a moment to email them and ask why they need this permission.
Your precise location — GPS and network-based location
These two are no-brainers. If an app needs to know where you are, it has to know where you are. If an app gets its revenue from location-based ads, it needs to know where you are. If an app has any mapping abilities, it needs to know where you are. And finally, if an app tells you information about finding things like businesses, it needs to know where you are. If you don't want these apps to know where you are, turn off the location services on your phone and don't install the app. If you want an app to tell you where to find cheap gas, you're going to have to let it know where to look.
Network communication — full network access
Another permission that we see far too often. If an app has no function for you to communicate with anyone else, or any type of downloadable content, this usually means ads. To show you ads, the app needs to get them from the Internet. If they app you're using is ad-free, has no need to contact the outside world, and doesn't have any type of add-on content, be wary. But don't be silly. Ask the developer why. If he or she tells you, they have nothing to hide. If they don't respond, move on.
There are many other, less suspicious permissions for things like keeping the phone awake, controlling hardware, or accessing system settings. Use a bit of common sense with these. An app that takes pictures needs to control your hardware. Netflix needs to keep your screen awake for the 90 minutes you're not touching the screen. A ringer mode widget needs access to your settings. And most apps nowadays need access to SD card content (which can mean internal storage as well). When you come across something you don;t understand, usually a bit of deductive reasoning can figure out why an app needs to do something. If not, read comments in the Market, and ask questions in the forums. Just don't be silly and think the sky is falling -- most Android developers just want to make apps that make them a little money, and have no bad intentions.