Permission bloat on iOS can lead to theft of sensitive data, study says

Applications requesting access to photos for first-use setup retain that permission unless manually revoked, putting companies at risk, according to a Wandera report.

The iPhone with a laptop price tag: Will Apple's iPhone XS Max convince business pros to upgrade? Jason Hiner and Bill Detwiler discuss Apple's latest mobile hardware, including the most expensive iPhone ever and the increasingly health-conscious Apple Watch Series 4.

Applications requesting permissions not necessary for the functionality of the app pose a security risk to organizations, potentially resulting in the compromise of personal or corporate data, according to a Wandera report published Wednesday.

"Millions of apps [are] available to users, and while some are in fact 'safe' and treating your personal data with the utmost care, the vast majority are not," the report claims.

One of the purported benefits of iOS over Android is the former's tight controls over application standards, as inclusion in the iOS App Store is contingent upon compliance with Apple's terms and conditions for use. However, this is only a walled garden, not a bulletproof vest—Apple recently began cracking down on apps from Abercrombie & Fitch, Expedia, Hotels.com, and Singapore Airlines, among others, that use "session replay" analytics to track user behavior.

SEE: Apple Pay: An insider's guide (free PDF) (TechRepublic)

Wandera highlights the potential danger of granting the "PhotoLibrary" and "Camera" permissions to apps, noting that "Employees are increasingly using their smartphone cameras to take pictures of whiteboards in meetings. This puts sensitive corporate information like product roadmaps into their photo libraries. The camera is also commonly used for one-time use profile set-up... the issue with these one-time use cases is, you may grant an app like Uber access to your camera or photo library to upload a profile picture or credit card information and then forget about it, leaving that access open at all times."

Permissions considered "high risk" by Wandera include "LocationAlways" and "Microphone," for which 25% and 23% of apps tested requested permissions. Wandera points to a 2018 New York Times investigation that found that WeatherBug tracked users' movements and provided that data to third parties for targeted advertising campaigns, enabled by the use of app permissions.

Of the 30,000 apps analyzed, 17% request no special permissions, with roughly a quarter of apps requesting either three or four permissions. Notably, iOS permissions relate only to personal information. As such, permissions on Android relating to device settings, such as pairing Bluetooth devices and viewing network connections, are not configurable.

Social Networking apps request 4.96 permissions on average, followed closely by weather apps at 4.73, shopping apps at 4.5, and health apps at 4.48. Notably, 62% of social networking apps request LocationWhenInUse. The same percentage of weather apps request PhotoLibrary access.

Users are advised to manually revoke permissions using the "Settings > Privacy" menu.

Apple has faced controversy earlier this year due to developers abusing Apple Developer Enterprise Program to distribute illicit apps, and pirates using it for the same purpose. In fairness, security issues not limited to iOS, astwo-thirds of all Android antivirus apps are frauds, and the Android ecosystem of pre-installed apps is a privacy and security mess, according to ZDNet's Catalin Cimpanu.

Also see

Image: Jakub Jirsak

By James Sanders

James Sanders is a technology writer for TechRepublic. He covers future technology, including quantum computing, AI, and 5G, as well as cloud, security, open source, mobility, and the impact of globalization on the industry, with a focus on Asia.