Course

Manage Application Permissions for Privacy and Security

Training Code
Topic 1.3
Format
Document
Delivery
On Demand
Location type
Virtual/Online

Description

The Bottom Line

Apps can often access sensitive information about you, including health, financial, and geolocational data. If you don’t properly manage your app permissions, you increase the risk that this information is shared or sold to third parties. To mitigate this risk:

  1. Only install apps you need.
  2. Remove apps you no longer use.
  3. Manage app permissions and deny access to data or functions you do not want an app to have.

The Problem

Third-party apps can collect, share, and sell your information if you don’t properly manage your device’s app permissions.

App permissions are a set of controls found on your computer and mobile device that allow a user to define what categories of data an app can access.

Given the right permissions, some apps may be able to:

  • Access your photo library.
  • Record and livestream audio and video.
  • Access your location in real time.
  • Read, receive, and send Short Message Service (SMS) text messages.
  • Access your health data from paired fitness trackers.
  • Read and edit your contact list.
  • Read, create, edit, or delete calendar events.
  • Access your files, media, and photos stored on your phone’s memory.

You can’t always be sure how apps will use your information or who they will share it with, as illustrated in a 2018 New York Times article that revealed many apps collect and sell large databases of information. These databases are created from information that apps have permission to access from your device, including location data that can be used to easily identify you and construct your pattern of life. Location data can reveal everything from your normal commute time and route, to visits to a doctor’s office or a romantic partner’s residence.

Through managing app permissions, such as denying a local news app access to your device’s location data, you can begin to limit what data apps can access and share with third parties. Indeed, apps with unnecessary access to your data can place your privacy and security at risk by heightening the likelihood that this information falls into the wrong hands.

The Solution

Remove apps you no longer use.

First, audit the apps that are installed on your mobile devices. You should remove any app that you do not use. After all, if you are not using it, why give it access to your device and data?

For the apps that you do use, check what categories of data they can access. If apps require access to categories of data that make you uncomfortable, delete them.

To check what categories of data your app can access, review the app’s privacy information in the app store associated with your OS. (As pictured below, the Apple App Store lists the types of data that an app collects. The Google Play store similarly displays this information.)

Manage app permissions.

Familiarize yourself with the app permission categories for your OS.

A great rule of thumb is to deny access to any data or functions you do not wish the app to have or perform. Just because an app requests access to your camera doesn’t mean you need to enable camera permissions if you do not use the app’s camera function.

Note: If you believe you are at heightened risk of being targeted by an advanced adversary because of who you are or what you do, you should pay extra attention to apps that request access to your location. Malicious apps could allow threat actors to track your whereabouts without physically surveilling you, placing you or your associates at greater risk of harm.

Limiting access is another best practice. For example, users can indicate that an app should access their location Only While in Use.

Follow these guides from four major  operating systems to manage app permissions on computers and mobile devices:

Takeaways

Do

  • Remove apps you no longer use.
  • In app permissions, deny access to data or functions you do not want an app to have.

Do Not

  • Keep apps on your phone if you don’t use them.
  • Allow apps to access categories of data that are not required for functionality. 

 

Project Upskill is a product of the Joint Cyber Defense Collaborative 

Prerequisites

  • Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
    • Topic 1.0: Implement User Account Control to Protect Your Personal Computer
    • Topic 1.1: Keep Your Device’s Operating System and Applications Up to Date
    • Topic 1.2: Ensure Your OS Antivirus and Anti-Malware Protections are Active