What those scary app permissions mean

We've all heard stories about bad apps that want to steal your valuable data and ship it off overseas, and those discussions always end with one thing -- someone says you need to read an app's permissions before you install it. Well, that's fine, but there is a small problem -- how do you know what the heck those permissions mean? Something like System tools: automatically start at boot is easy enough to decipher and understand but plenty of others aren't so easy. The problem is that apps may have a good reason to use them because several different things can be covered by one permission and there's no good place to see exactly what they all mean.

Let's take a look at some common permissions that sound really scary. Hopefully, This will help you have a better grasp on why a developer might want a certain permission or why they shouldn't be asking for it.

Services that cost you money — directly call phone numbers

When you warn me that something is going to cost me money, and you have my attention. This permission means an app can automatically make a phone call. Every app can launch the default dialer and even fill in the number, but unless this permission is granted you have to press the call button. Things like Dialer replacements, Google Voice, or anything tied to your phone dialer needs to have this permission. If an application asks for this but should have nothing to do with making calls, find out why from the folks who put in in Google Play before you install it.

Sometimes it's not obvious why an app needs permission to do something that is useful and safe.

Services that cost you money — receive and send SMS or MMS

Again with the costing me money. Subscription SMS services are an easy way for a crook to make money, so this is one to keep an eye on. Your favorite SMS apps will need this (that makes sense) but so will an app that allows you to edit or take a picture and send it to a friend. Apps that can share any media will probably have this setting, It's needed to use the intent to share anything through an SMS or MMS message. If an app can't send anything to anyone, you should check why the developers need this.

Your personal information — read/write your contacts

An email client or any type of messenger uses this permission to do exactly what it says — read your contacts. But so will something like a home screen widget that can hold a shortcut to a person. Or Twitter or Facebook — they want to be able to find friends of yours who also use their service or make it easy for you to spam the ones who don't. "Contacts" is a broad term because so much information can be stored for an individual contact. We see this one on games that have leaderboards a lot, too. Anything that can put you in touch with anyone else will probably need this permission.

Permission to write to your contacts follows the same logic — if an app can add a friend it might need this permission to do it. In this case "write" means modify or add to your contacts list, not write a message to a contact.

Your personal information — read/write calendar events

This one is pretty simple. It only does one thing — read your default calendar. Some apps will need to have access to your calendar. Besides obvious reasons to need this one, apps that can do things like reminding you when it's time to take medicine or automatically tell you about an upcoming trip might do that by reading your calendar. If an app needs to do something at any point in the future reading the calendar is a valid permission request. If it doesn't, find out what it wants to do before you install.

Writing calendar events is a common thing to need for an app that has a legitimate reason to read them. If it's not obvious why an app needs these permissions, the description in the Play Store should tell you more. If you're still not sure, ask the developer.

Phone calls — read phone status and identity

This is the most abused and least understood permission of them all. You need to understand that this permission covers two different things that shouldn't be lumped together. There are a lot of good reasons to need to read your phone state. A game is a great example. You might be doing your thing and playing a game when all the sudden your phone rings. The game needs to step back and let the incoming call notification have control of your screen. The call request can take control (and does) but the game needs to know that so it can stop the action in the background until you get back to it. It can do this when the phone status changes.

It's important to know which ID an app is asking for.

There are a couple different things your phone can do to provide a unique identity. Every phone has a device identifier that's different from every other one and it can be exposed without sharing any private information. When you see how many people are using a particular version of Android in a chart from Google, they are using this device ID to help get those numbers. When you go to Google Play you get counted and since every number is different you only get counted once. This number is also the best way for an app that can store settings or favorites in the cloud to tie them to you and only you. This is the ID we want to share because it can only tell what phone you have and what software is on it so none of your data is exposed.

This permission is also required for an app to read a different unique ID — your IMEI number. Your IMEI number is how your phone company connects your phone to you — your address, your name and everything else you would need to provide to buy a phone that can prove who you are. That data is hard to get — there is a minimum of three different secure and encrypted database servers between it and any of your account data, but it's not impossible to get. Because we've all seen stories about big telco companies exposing random user data from time to time, this is not something you want to be sharing for no good reason.

Since you have no way of knowing which ID an app asking for this will grab, say no when you see this one unless you know why they want it and what they're doing with it.

Your precise location — GPS and network-based location

If an app needs to know where you are it needs to ask for your location. A rough location through something like a Wi-Fi AP database works well enough for a lot of things but sometimes you need to get precise and that's a second permission request.

The need for your precise location can be determined by a little guesstimation. Does this app need to know what is within 50 yards of me? If the answer is yes, it needs a precise location. An app that tells someone who is wheelchair bound where the mall elevators or bathrooms are (those exist, and kudos to the people who make them happen) needs your precise location. An app that tells you what's on sale at Target when you get in the parking lot doesn't. Of course, any app with a map or that gives you directions needs to pinpoint your location, too.

And sometimes apps with ads in them need this just for the ad company. It's up to you to decide if you need those apps bad enough.

Your personal information — Modify/delete SD card contents

This is the permission that allows an app to read or write to your phone's external storage. This used to give an application free run to look at your data, change that data, delete that data and add more data anywhere on your SD card. This is a little confusing because they don't necessarily mean the little SD card that you can take out of the phone. In Android, your phone storage is referred to as an SD card in the file system. The little SD card is external storage. This was needed to support storing system-wide data on your removable memory card back when it was first developed. It hasn't changed because changing the name would break a lot of apps.

How apps can read from your storage changes as Google tries to balance convenience with security.

Google has done a lot to make this permission harmless. With each version, they refine the ways an application can get access to only the information it needs. But there are still people out there running older versions that may mean this permission is a little more serious. If you're one of them, make sure you trust the app before you install it.

There's a second reason why I'm listing this one. Any application that was written for API level 4 (Android 1.6 Donut) or lower gets this permission by default. There aren't very many of those apps around. But it's a way for an app that didn't come from Google Play to get access it shouldn't have if your phone is running an older version of Android. What harm can come from this depends on what type of data you have on your phone's storage.

Phones running Android 7 Nougat and apps built for phones running Android 7 use scoped directory access and this one is finally laid to rest.

Network communication — full network access

This permission means exactly what it says. An app wants to be able to send requests and get a response through the network (Wi-Fi or your phone's data connection). Besides apps that use the internet for something obvious, apps with ads in them need this one.

While this is a fairly harmless permission when it comes to your personal information, it can use your data allotment without you realizing it. We hate paying for extra data as much as you do. Use airplane mode when you're low on data and if you find an app that should work offline but doesn't, uninstall it. There are too many good apps to fool with ones that don't follow the best practices.

There are many other, less suspicious permissions too. An app that takes pictures needs to control your hardware. Netflix needs to keep your screen awake for the 90 minutes you're not touching the screen. A ringer profile widget needs access to your settings. When you come across a permission that seems out of place, usually a bit of deductive reasoning can figure out why an app is requesting it. If not, read comments in Google Play, and ask questions in the forums. Don't just install anything you feel uneasy about, and don't automatically assume the worst.

Most apps in Google Play aren't out to steal your data or your money.

Remember, most of the people writing apps just want to make a little money or are doing it because it's fun. Apps that exist to farm your data are few and far between. And sometimes developers will make a mistake — it's not hard to get Android to ask for a permission an app isn't using and it's easy to overlook those errors when you're building them.

Android is getting a lot better than it used to be when it comes to permissions. There's a good chance you can deny any of these after you install an app through your phone's settings and some of the most common "scary sounding" permissions are going away altogether. But with so many different phones having so many different versions of Android this information can mean more to some people than others.

We'll keep this updated as things change.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.