-
add to favourites
An app wants to access everything—is that a scam?
2025年8月4日星期一
In this publication, we’ll try to understand when our reservations about an app requesting seemingly excessive permissions are unsubstantiated and when they are entirely justified.
Surely at one point or another you have come across apps that, in the course of their installation, request access to virtually all device components and features including the camera, microphone, contacts, location, file system and more. In situations like this, one may reasonably ask: why would a photo editor need to be aware of my location? Our readers and Dr.Web software users will probably regard this app behaviour as fraudulent. Let's see if this is really so and when we actually need to raise the alarm.
To each its own
In order for an app, albeit a completely harmless one, to save an image to the gallery, for example, or record a video, an access permission prompt must be displayed. And that’s because well-mannered individuals, and devices likewise, do not invade someone else's space without the host’s express permission for them to do so. So, whenever a program requests access to a certain feature or file, the operating system ensures that the user remains protected from covert manipulations with their device. At this point, the gadget's owner will clearly see which specific permissions the program needs to do its job. A permission prompt itself is no cause for panic.
Example:
The Health app is installed on the device by default. It stores data that the user specifies in the app—such as information about medications taken and blood type—as well as the details they provide in other programs related to health, nutrition and fitness. So, the Health app interacts with a step counter, smart scales, and a healthy sleeping app as well as with a variety of other sports apps and calorie trackers. That way, aggregated health-related data can provide a comprehensive representation of the user’s wellbeing as well as useful suggestions for improving it, if necessary. Naturally, to accomplish this the other apps require permissions to update and transmit health data. But if these very apps want to access the contacts and location as well, the user will start wondering how is this data related to their health?
We have compiled a short list of the most commonly requested permissions. Let's find out which ones are actually required for a variety of apps to operate normally and which of them should make us suspicious.
| Components and features that apps want to access | Reasonable (examples) | Suspicious (examples) |
| Camera and microphone | Photo and video editing, video calls, OCR (optical character recognition) | No UI elements or usage scenarios involving the camera or microphone A book reader without OCR support |
| Contacts | Messengers, mail and video call apps | Games, applications performing various computation tasks, such as calculators or roulettes |
| Location | Navigation, taxi and delivery apps | Editors, notepads |
| Files | Cloud storage, messengers, document editors | Exotic utilities, games, torch apps |
| Calls and SMS | Banking apps, two-factor authentication | Everything else |
| Calendar | Video call app | Games, utilities, launchers |
A general rule of thumb for determining whether a permission request is reasonable is matching it against an app's features. We try to understand why it is needed and how it will work and then help the app by granting it the corresponding permissions. But don't get overzealous—only provide the privileges that are absolutely necessary.
Fraudulent or sloppy
It is important to understand that not all privilege-greedy apps are created by threat actors. Sometimes developers choose to request all the permissions even if their app does not use them—just to be on the safe side.
This can happen for a variety of reasons. Many apps rely on third-party libraries, especially when advertising and analysis are involved. And using these libraries may require additional privileges. Even if an app does not access the calendar or files, a third-party advertising module can do so in the background. That’s pretty common for free applications that generate a profit by displaying ads.
Sometimes inexperienced developers simply don't quite understand which permissions their application really needs.
That’s why it can be a good idea to check a new app's permissions after it has been installed and revoke those that appear excessive. If no compromise between the user and the app can be found, it will probably be easier and safer to find a similar application with a more modest appetite for privileges. The fewer access permissions an app has, the less of a threat to your privacy it will be.
And yet, there are situations when an application is disguised as a harmless one but will, in fact, leak the user's data to a third party or even subscribe them to paid services.
Distinguishing a ruse from the real thing
- The app is not well known. It has just appeared in the catalogue and has bad reviews or positive feedback that appears suspiciously similar.
- No developer website or support contacts are specified.
- The program behaves strangely right after installation: it displays ads very often, affects the device's performance in a bad way, and unexpected subscription notifications pop up.
You can check what permissions your apps have right now
Android and iOS both allow you to access the list of permissions that installed apps require and revoke the unnecessary ones with just a couple of taps.
Android:
Settings → Apps → [App Name] → Permissions.
iPhone:
Settings → Privacy & Security → and then check sections such as Calendars, Contacts, Files & Folders.
The Anti-virus Times recommends
Here are several basic rules to help you feel more confident the next time a new app requests permission to access some data:
- Carefully read the message prompt and consider what is it that the app actually requires. Don't tap “Allow All” without thinking. You can use our table for guidance.
- Don't be afraid to tap “Deny”. Many apps operate normally even if none of the requested permissions are granted to them.
- Check user reviews, especially negative ones—they often tell the truth.
- Use an antivirus. Dr.Web will always warn you if something suspicious is afoot.
- Get rid of the software you don’t need. If you haven't used an app in a while, uninstall it.
Ask yourself: why does the app need to access this? If the answer is not obvious, it is safer to deny it. Or ask the expert, which is us!
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png "Shared 0 times")
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.