Mobile security in app programming: access permissions

Access permissions are very often completely justified in app programming for Android and iOS. Nonetheless, sometimes they are not. This means that − on one hand − the user must pay attention to these permissions and − on the other hand − the developer must also be driven by ethics and only request access to whatever strictly necessary, as we discussed in our guide on how to create a successful app.

Access permissions will always depend on the app. For example, dining and restaurant apps seeking the closest restaurant to your current location will require being able to access your device’s GPS. The app will not work without this access permission, or at least will not do so properly. The following are some of the most commonly requested permissions:

• Contacts
• Phone calls
• Photos, videos and audios
• Device’s ID and data
• Text messages
• Wi-Fi
• Accounts

Some apps may need additional access permissions. Let’s see the exact implications of allowing access to certain parts of our Android device, i.e. the risks associated to each kind of access permission and its scope.

For example, granting an app access to text messages entails allowing it to send messages in addition to reading them. This may translate into a higher bill at the end of the month if such application starts sending texts without you being aware of it. However, when properly used its purpose is to confirm ID’s and thus enjoy safer apps.

Safe App Programming: is privacy endangered?

There are other aspects to be considered besides its app programming process for an application to be considered as safe, i.e. it’s not only its code that is taken into consideration. It also depends on the user, who accepts or rejects each app’s privacy policies.

For example, according to a recent study carried out by Quental − a technological services and solutions company −, at least 61.3% of the most downloaded mobile apps comply with the applicable legal framework and have a privacy policy that governs the use and processing of the end user’s personal data.

As with social networks, the answer will always depend ultimately on us. If you don’t want anyone to see something you are posting on a social network, just restrain yourself from publishing it or check your account’s privacy. The options available might be a little tighter when it comes to apps, but it boils down to the same thing: simply don’t download an app whose access permissions you are unwilling to grant. You cannot allow certain permissions and deny certain others; the app will not work properly if you limit its access permissions and will end up not doing what it’s supposed to do.

However, we can get into trouble by granting full access to an app. Our most sensitive information (photos, videos, passwords, chats, bank details, etc.) could be exposed if an app is allowed to send and publish content and has access to our personal data and information.

How do I protect myself?

As already mentioned, the most radical solution consists in not downloading the app if you don’t want to grant these permissions to third parties. There are currently many apps on the market, so it’s very likely that you’ll be able to find a similar app that requires less access permissions.

Another option is limiting the access of the apps that you have already installed on the settings panel. However, these permissions may not always be revoked, as they affect the app’s operation.

And the last option available for Android apps is an application called App Ops. This is an app specialised on revoking access permissions. It’s a paramount tool for those who place a great deal of importance in privacy or those who have plenty of sensitive information in their mobile devices.

It may well be the opposite for iOS. When an application requires an access permission which you have not granted, a pop-up will appear reminding you that the app needs such permission or that such permission has been already granted. It works very well as a firewall method to protect your privacy despite it may be uncomfortable sometimes.

The aim of this access permission request system is to hand over privacy control from the app’s developer to the app’s users.

So what can an app developer do?

According to a study by the University of Valladolid on mobile app security and privacy, “developers, in their eagerness to publish their applications before their rivals, neglect certain aspects that must be taken into account − especially the privacy and security of the data processed by the app.”

Healthcare apps are a good example to see the importance of the consequences that such neglect may bring, as they deal with private and confidential data from hundreds of patients. The University of Valladolid suggests a series of ‘best practices’ for programmers. Borja Martínez, researcher at the Telemedicine and eHealth Group at the University of Valladolid, sets out − in a guide that is especially designed for healthcare app programming experts − the following recommendations, which are equally valid for any kind of app programming:

• Access control: user-centred, i.e. there is always the possibility of allowing or denying access to the user’s information.

• Authentication: by means of a unique ID and a password known only to the user.

• Security and non-disclosure: making use of AES (Advanced Encryption Standard) with an encrypted password of − at least − 128 bits is highly recommended to ensure security.

• Integrity: an authentication code based on symmetric password encryption (such as AES) must be used.

• Information to users: prior to collecting any information, all apps must extend a clear privacy policy to their users that identifies who will be using the data, the purpose thereof, the privacy practices in place, the user’s rights and a way to contact the app’s developer.

• Data transfer: apps should use TLS (Transport Layer Security) with 128-bit encryption methods or virtual private networks.

• Data retention: all data should only be stored during the amount of time necessary to comply with their storing’s stated purpose and not any longer.

• Communicating with wearables: cryptographic methods should be used when communicating with wearables for device authentication and password distribution purposes.

• Security flaw alerts: in case of a security breach, developers must notify the relevant authorities and the users as soon as possible and should help the latter minimise the damage caused by it.