What those scary app permissions mean

By Jerry Hildenbrand
last updated

We've all heard stories about bad apps that want to steal your valuable data and ship it off overseas, and those discussions always end with one thing -- someone says you need to read an app's permissions before you install it. Well, that's fine, but there is a small problem -- how do you know what the heck those permissions mean? Something like System tools: automatically start at boot is easy enough to decipher and understand but plenty of others aren't so easy. The problem is that apps may have a good reason to use them because several different things can be covered by one permission and there's no good place to see exactly what they all mean.

Let's take a look at some common permissions that sound really scary. Hopefully, This will help you have a better grasp on why a developer might want a certain permission or why they shouldn't be asking for it.

Services that cost you money — directly call phone numbers

When you warn me that something is going to cost me money, and you have my attention. This permission means an app can automatically make a phone call. Every app can launch the default dialer and even fill in the number, but unless this permission is granted you have to press the call button. Things like Dialer replacements, Google Voice, or anything tied to your phone dialer needs to have this permission. If an application asks for this but should have nothing to do with making calls, find out why from the folks who put in in Google Play before you install it.

Sometimes it's not obvious why an app needs permission to do something that is useful and safe.

Services that cost you money — receive and send SMS or MMS

Again with the costing me money. Subscription SMS services are an easy way for a crook to make money, so this is one to keep an eye on. Your favorite SMS apps will need this (that makes sense) but so will an app that allows you to edit or take a picture and send it to a friend. Apps that can share any media will probably have this setting, It's needed to use the intent to share anything through an SMS or MMS message. If an app can't send anything to anyone, you should check why the developers need this.

Your personal information — read/write your contacts

An email client or any type of messenger uses this permission to do exactly what it says — read your contacts. But so will something like a home screen widget that can hold a shortcut to a person. Or Twitter or Facebook — they want to be able to find friends of yours who also use their service or make it easy for you to spam the ones who don't. "Contacts" is a broad term because so much information can be stored for an individual contact. We see this one on games that have leaderboards a lot, too. Anything that can put you in touch with anyone else will probably need this permission.

Permission to write to your contacts follows the same logic — if an app can add a friend it might need this permission to do it. In this case "write" means modify or add to your contacts list, not write a message to a contact.

Your personal information — read/write calendar events

This one is pretty simple. It only does one thing — read your default calendar. Some apps will need to have access to your calendar. Besides obvious reasons to need this one, apps that can do things like reminding you when it's time to take medicine or automatically tell you about an upcoming trip might do that by reading your calendar. If an app needs to do something at any point in the future reading the calendar is a valid permission request. If it doesn't, find out what it wants to do before you install.

Writing calendar events is a common thing to need for an app that has a legitimate reason to read them. If it's not obvious why an app needs these permissions, the description in the Play Store should tell you more. If you're still not sure, ask the developer.

Phone calls — read phone status and identity

This is the most abused and least understood permission of them all. You need to understand that this permission covers two different things that shouldn't be lumped together. There are a lot of good reasons to need to read your phone state. A game is a great example. You might be doing your thing and playing a game when all the sudden your phone rings. The game needs to step back and let the incoming call notification have control of your screen. The call request can take control (and does) but the game needs to know that so it can stop the action in the background until you get back to it. It can do this when the phone status changes.

It's important to know which ID an app is asking for.

There are a couple different things your phone can do to provide a unique identity. Every phone has a device identifier that's different from every other one and it can be exposed without sharing any private information. When you see how many people are using a particular version of Android in a chart from Google, they are using this device ID to help get those numbers. When you go to Google Play you get counted and since every number is different you only get counted once. This number is also the best way for an app that can store settings or favorites in the cloud to tie them to you and only you. This is the ID we want to share because it can only tell what phone you have and what software is on it so none of your data is exposed.

This permission is also required for an app to read a different unique ID — your IMEI number. Your IMEI number is how your phone company connects your phone to you — your address, your name and everything else you would need to provide to buy a phone that can prove who you are. That data is hard to get — there is a minimum of three different secure and encrypted database servers between it and any of your account data, but it's not impossible to get. Because we've all seen stories about big telco companies exposing random user data from time to time, this is not something you want to be sharing for no good reason.

Since you have no way of knowing which ID an app asking for this will grab, say no when you see this one unless you know why they want it and what they're doing with it.

Your precise location — GPS and network-based location

If an app needs to know where you are it needs to ask for your location. A rough location through something like a Wi-Fi AP database works well enough for a lot of things but sometimes you need to get precise and that's a second permission request.

The need for your precise location can be determined by a little guesstimation. Does this app need to know what is within 50 yards of me? If the answer is yes, it needs a precise location. An app that tells someone who is wheelchair bound where the mall elevators or bathrooms are (those exist, and kudos to the people who make them happen) needs your precise location. An app that tells you what's on sale at Target when you get in the parking lot doesn't. Of course, any app with a map or that gives you directions needs to pinpoint your location, too.

And sometimes apps with ads in them need this just for the ad company. It's up to you to decide if you need those apps bad enough.

Your personal information — Modify/delete SD card contents

This is the permission that allows an app to read or write to your phone's external storage. This used to give an application free run to look at your data, change that data, delete that data and add more data anywhere on your SD card. This is a little confusing because they don't necessarily mean the little SD card that you can take out of the phone. In Android, your phone storage is referred to as an SD card in the file system. The little SD card is external storage. This was needed to support storing system-wide data on your removable memory card back when it was first developed. It hasn't changed because changing the name would break a lot of apps.

How apps can read from your storage changes as Google tries to balance convenience with security.

Google has done a lot to make this permission harmless. With each version, they refine the ways an application can get access to only the information it needs. But there are still people out there running older versions that may mean this permission is a little more serious. If you're one of them, make sure you trust the app before you install it.

There's a second reason why I'm listing this one. Any application that was written for API level 4 (Android 1.6 Donut) or lower gets this permission by default. There aren't very many of those apps around. But it's a way for an app that didn't come from Google Play to get access it shouldn't have if your phone is running an older version of Android. What harm can come from this depends on what type of data you have on your phone's storage.

Phones running Android 7 Nougat and apps built for phones running Android 7 use scoped directory access and this one is finally laid to rest.

Network communication — full network access

This permission means exactly what it says. An app wants to be able to send requests and get a response through the network (Wi-Fi or your phone's data connection). Besides apps that use the internet for something obvious, apps with ads in them need this one.

While this is a fairly harmless permission when it comes to your personal information, it can use your data allotment without you realizing it. We hate paying for extra data as much as you do. Use airplane mode when you're low on data and if you find an app that should work offline but doesn't, uninstall it. There are too many good apps to fool with ones that don't follow the best practices.

There are many other, less suspicious permissions too. An app that takes pictures needs to control your hardware. Netflix needs to keep your screen awake for the 90 minutes you're not touching the screen. A ringer profile widget needs access to your settings. When you come across a permission that seems out of place, usually a bit of deductive reasoning can figure out why an app is requesting it. If not, read comments in Google Play, and ask questions in the forums. Don't just install anything you feel uneasy about, and don't automatically assume the worst.

Most apps in Google Play aren't out to steal your data or your money.

Remember, most of the people writing apps just want to make a little money or are doing it because it's fun. Apps that exist to farm your data are few and far between. And sometimes developers will make a mistake — it's not hard to get Android to ask for a permission an app isn't using and it's easy to overlook those errors when you're building them.

Android is getting a lot better than it used to be when it comes to permissions. There's a good chance you can deny any of these after you install an app through your phone's settings and some of the most common "scary sounding" permissions are going away altogether. But with so many different phones having so many different versions of Android this information can mean more to some people than others.

We'll keep this updated as things change.

Jerry Hildenbrand
Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

45 Comments
  • Seems like they should break up the phone state and identity permission into 'Read phone state' and 'Read Phone Identity'. Because reading if my phone is about to ring sounds like a good permission. The other half, not so much.
    Just like there should be a 'read SD card'. I don't like read/write.
  • +100
  • Speaking of breaking down permissions into something more granular, wouldn't it be nice if the "Network communication -- full internet access" permission could be more limited. I'd much prefer to see "Network communication -- advertising", "Network communication -- admob", or "Network communication -- somedomain.advertiser.com" That way, you'd know your phone would be reaching out, but you'd know more about where it was going. Maybe I'll suggest that to the Android team...
  • the problem with that is that Google has no idea what purpose every developer in the world will have for connecting to the net or what developers are going to connect to with a network connection. And there's no way to programatically determine that. you think its a pain in the ass waiting for an OTA now?
    see what happens when Google has to collect the source code for EVERY app that EVERY developer plans to release so that they can analyze it and include a separate special permission for EVERY single connection into the SDK so that you can see your fancy "Network communication -- somedomain.advertiser.com" message when you download whatever app you're looking at.
  • Of all the permissions, this one bothers me the most. Allowing an app to see the number I'm calling is a huge privacy hole. And certainly isn't needed to suspend for an incoming call. With so much off shore development, it would be easy for malicious code to be written. People are concerned about the NSA while freely giving away even more private information to commercial companies.
  • I'd just like to add that "Phone calls -- read phone state and identity" is an add-on permission by Android if the app supports Android v1.5. Meaning, the app doesn't need the permission to do anything, and isn't explicitly declared by the dev, Android automatically tacks the permission on to support Android v1.5. The only way around it is to not support Cupcake, which is the reason I never had any intention of supporting less than 3% of the install base in exchange for having to declare that permission.
  • I agree with Mgamerz. Some of the permissions are too broad, lumping together permissions that, from a security perspective, should absolutely be specified separately. Isn't that the point of permissions, declaring them and reviewing them... security? On the other hand, developers sometimes declare permissions they don't need, or do things in such a way that the permissions are required, when an alternative method would not require the permissions. I have apps that can share things, and they don't need to read my contact data. I tell the app to share something, and a list appears containing all the available sharing methods, based on what's installed on my phone. I select the method, and the appropriate app opens. No special permissions required.
  • Perhaps, the real App that we all need is one that checks the Permissions for each of our installed Apps and alerts us when there is a concern! I'd buy it. This App should also provide the ability to quickly Uninstall Apps with silly Permissions.
  • I know of at least 2 apps that do exactly that. I can't think of them off the top of my head right now, but I do know one was featured on XDA's portal a few weeks ago. It would rate the permissions a given app has and designate it (the app as a whole) as safe, mild, dangerous, or scary if I recall correctly.
  • thats impossible. Without a ton of reflective programming built into the app being analyzed, all that an app like what you are suggesting could do is make a (somewhat) educated guess at best. Computers dont have intuition and AI is limited, so while a computer knows what specific lines of code do functionally, there's no way it could determine the overall intent or purpose of the combined code. the only way i could think to even implement such a thing is too take user input that would indicate what kind of app you are asking about, and ten have it (again) guess (more or less, via some sorta of determinant algorithm) what it should or shouldnt have. so basically it would be like asking your nearest techy pal...only with potentially less trust worthy results. I guess i could be wrong though.
  • Ironically, that have to give an app ALL the permissions wouldn't it? I would ONLY think an app like this would HAVE to be made by Google. They won't of course, because they are too greedy.
  • Cyanogenmod's privacy guard does something similar.
  • Check out Trustable by Bluebox. It runs a scan that helps identify security holes, permissions, etc that can cause problems. Free on Google Play apps: https://www.androidcentral.com/e?link=https2F2F...
  • Thanks a million for this article. I'm new to Android and it took me a bit by surprise to see the application permissions screen for the first time. But i mostly install well-known apps, so I'm not too paranoid.
  • "Phone calls -- read phone state and identity" This one is thanks to Android bug #10603 The android operating system is supposed to have a built-in unique identifier that any app can access. Unfortunately, all the Droid 2 phones and a bunch of other Froyo devices shipped with the exact same unique identifier. Advertisers need unique identifiers to prevent fraud. Since they can't trust the built-in serial numbers on Froyo devices they're forced to use your phone number to identify you. This sucks, but please don't blame the app-makers. All the major advertisers require this permission. More info on bug #10603 here : http://code.google.com/p/android/issues/detail?id=10603
  • best android bug by far has to be : http://code.google.com/p/android/issues/detail?id=18365&colspec=ID%20Typ...
  • Well done! People need to know that fanboys saying we are responsible for these permissions, need to have this information at their disposal. I doubt if they will want to comprehend it but good show.
  • Good Article!
    Its really annoying to see in app stores every app gettin unfair reviews because of people who dont understand permissions or that tey are needed to do whatever it is they want the app to do. Its really hard to get an honest opinion and gauge the qualilty and effectiveness of an app when that happens. some can't help it, not everybody is a techy I understand that...the people that get on my nerves are the overly paranoid conspiracy theorist freaks though.
  • The OS is insecure it's proven and isn't part of any conspiracy theory
  • Every OS has vulnerabilities. There are plenty of conspiracy theorists in the Google Play Store reviews that take it way too far.
    So Android, and every other operating system in the world are vulnerable in some ways. What are you getting at exactly?
  • Technology is grooming fast day by day. so many mobiles applications are running different mobiles just because of growth in technology.
    Now there are many funny and fool applications are available to make someone fool on April fool day like hack the mob, share others credit from mob, lock phone, hack bluetooth etc etc.
    some years people were tried april fool messages to make others fool but not they used many mobile softwares and smiley which can make people foor in batter ways.. :)
  • I appreciate that...the citizens that obtain on my April Fool Messages are the excessively suspicious scheme philosopher freaks although.
  • Each and every of these solutions Romantic Facebook Status present feeds every time a new content is added, but have different options to supervise the blog and configure its look and feel. You would like to try these before going to find something else.
  • samuelshun, serious dblspk
  • Good article, Jerry. One thing to clarify, though.
    re: Services that cost you money —​receive and send SMS or MMS
    "Yep, it's going to need to send MMS messages, too." I'm not in front of my development machine to confirm, but I don't think this is entirely accurate. Apps can use the "intent" system to send email/sms without special permissions. it's only when the app wants to automate things and not have that pesky user interaction involved that they need special permissions. I'd argue that the ShareActionProvider is the best way to do this, anyway. Be wary of things that want to send SMS on your behalf.
  • Well written. It is VERY important and TOO tricky these permissions are don't you think? When you state some of these permissions ONLY Google knows about, proves my point from past comments on this site THAT Google/Android is very insecure AND Google is too greedy to do anything about it. The fanboys have screamed at me me when I professed this but more and more information keeps proving my point. They say it is the user's problem and responsibility BUT not if some permissions only Google really only knows what they are for. Lastly, these permissions will continue to be ignored by the general public THUS keeping the Google/Android OS incredibly insecure
  • "incredibly insecure" Overreact much?
  • Many have complained about the NSA. However, Google/Android's system has allowed for ALOT worse, it really has. So, over reaction? I don't think so
  • Even Google themselves, along with a couple of other big names like Facebook, have been complaining recently that, not only are they not allowed to divulge what, when or why they have been forced by law to collect\pass on our sensitive data, they aren't even permitted to comment generally about how often this may or may not happen or the lengths to which it may go.
    It is altogether probable that some or all of the non-essential permissions we are essentially forced to relinquish may be there solely or mainly to allow our own 'elected representatives ' (who are rarely representative and sometimes not even elected, for example the CIA, FBI, NSA, FDA, DARPA etc in the US; MI5, MI6 etc in UK) to gather an ever more detailed picture of our every move. To what end is a moot point. Why, for example, the Google calendar app that comes preinstalled on all android devices, would ever need to read or change details of my contacts, make calls, send emails from my account without my knowledge or permission, find and use accounts on my phone, (it doesnt even state which accounts, or which programme or app the accounts belong to),
    Although, on reflection, the mass wiretap of almost every single email, text message and telephone call
  • Why are most of these comments saying they are from 3 years ago? Is this a recycled article? Posted via Android Central App
  • I updated the Facebook app over the weekend and it stated that no new permissions are needed. But guess what happened next? I got a friend suggestion, my boss. How would FB know of him if it didn't read my emails? FB doesn't have my phone number and the email address I used when I signed up for FB is my Gmail one, not the work one. The panda has spoken
  • Mutual friends?
  • Facebook seems to have started mining your Contacts list. I suddenly started getting friend suggestions for a bunch of new people with the only thing in common being that they're in my phone directory. I personally think that's really creepy. It'd be one thing for Facebook to have a feature to allow you to search for specific people in your phone directory. To do that, they'd only have to read your contacts locally. But they seem to be sucking up your phone list to their servers to automatically generate 'people you might know' alerts. I didn't give them permission to take that data (well maybe I technically did by allowing their app to run on my phone). Anyway, it sucks.
  • Is it true that the Facebook inventer "Tom" or whatever received an award from the FBI for helping find more criminals since being available than ever before using actual police work. Because this scares the Shit out of me what if someone was on my Facebook doing illegal activaties and the information that was found was not mine could I or would I get charged or would they have to proove it with evidence that it was my messages ?
  • My banking app recently updated, adding the "read your contacts" permission requirement. When I asked them why a banking app would need this, they responded, "it's for a future feature." Um... yeah. Anyone else deal with something like this? I need the banking app for mobile deposit, etc., but I'm currently refusing to let it update.
  • This doesn't explain the constant addition of "new permissions" from apps that never needed them or have a noted use for them.. Why is it that every app all of a sudden wants to know what other apps I have on my phone? A few months go, not a single app wanted or needed this permission, now they all need it all of a sudden. I seriously have not purchased or updated a single app in 6 months due to this bombardment of "new permissions".. Even the PAID apps! Paid or Free it's all a bunch of user approved spyware.. We would never tolerate this crap on a PC.. I don't know why people tolerate rampant spyware on a device that may have more personal info than your PC (or Mac)..
  • I just open app ops and disable every permission that definitely isn't relevant, never had any issues.
  • What is apps ops? Is your device rooted?
  • I have revoked "Read phone identify" from ALL user apps on my device, using LBE privacy guard. Everything is still working fine.
  • 1) Read permissions
    2) Understand permissions
    3) ????
    4) Profit!
  • I have an app called Navigation Layer which adds gesture control to device and is pretty great. One of the new permissions on a recent update is 'full permissions to all device features and storage.' How can I know exactly what that means and ensure the app isn't doing some shady stuff now?
  • I call BS on the Phone # & identity permissions. Not only do too many apps want access to see my number and identity and know if my phone is active, but they also want to know WHO IT IS THAT i'M TALKING TO!!!!! It looks to me as if these app developers are in bed with the NSA & CIA, etc.
  • i knew the score with this low life lady a couple days before she relized, she took my old phone while i was asleep, using the home wifi she obtianed my e mail address and from there burgiurgized my privicy, lucky my debit card was depleated. its been chopped up never loan your phone, never let peaple gain the oppertunity to take a , let me refraze, steel a pic of your phone, and turn off your blou tooth
  • It's so easy to become complacent once you become consumed by the many intricate details and feature selections of applications with such intoxicating colors, functions and seemingly endless evolution of modern technology. I find it a lure of the most impressive and attractive designs which tend to seize or hijack the minds of people who have developed an innate trust and a faithful optimism of honor and fidelity. Instead, a transparent manipulation of skilled brilliance, elequent dishonesty, and a mantra hyped with seemingly clairvoyant incantations accompanied with a bold handle of deceit most often fueled by greed.
    As my father drilled into my head from the age of seven > "Never let your guard down!!!"
  • Good text. For me permissions are also crucial channel of ocmmunication between the app makers and the users - clear, reassuring, to-the-point messages seem to be to be the best way of acquiring permissions and also feel like it's safe to use an app. It's happened to me a few times to abandon using an app simply because I didn't know exactly how will the personal data be used and I didn't care enough to google the details.