General perception is that more permissions = less privacy (which is true), hence smart & privacy conscious users deny and may feel safe. But are you really safe? If you use an Android phone and feel good about being picky about which permissions to allow then read on.
There are primarily 3 types of permissions in Android—Normal, Dangerous & Signature. Dangerous permissions are considered high risk, hence the user has to explicitly allow these permissions (upfront in Android Lollipop & at run time from Marshmallow onwards). Signature permissions are given to App at OS level by phone manufacturers.
I will talk about Normal Permissions (classified as PROTECTION_NORMAL) which do not require any user permission and there is no way a user can deny or revoke these permissions in any Android version from any settings whatsoever. Google classifies them as normal because they feel there is no risk involved. Here are some of the Normal Permissions and possible risk they may carry:
- DOWNLOAD_WITHOUT_NOTIFICATION: App can download any content include Adware without alerting the user
- GOOGLE_AUTH: Apps can get the email address used for Google accounts. Good way to collect email database
- GOOGLE_AUTH.wise: Allows Apps to secretly sign in to Google Spreadsheets without informing the user
- GOOGLE_AUTH.writely: Allows Apps to secretly sign in to Google Docs without informing the user
- KILL_BACKGROUND_PROCESSES: App can kill any running process, including any anti-virus or anti-malware and then launch an attack
- launcher.WRITE_SETTINGS: App with this permission can modify the settings of Android’s Launcher & icons. Apps could use this to place (misleading) icons on your homescreen to trick you to click on it. Icon can look like a mail icon
- READ_EXTERNAL_STORAGE: App can read any document or sensitive data on your SD card. (Deprecated after API 19)
- READ_SYNC_STATS: Apps can read the sync stats for any background sync to Facebook or Gmail, including the history of sync events and how much data is synced.
- RECEIVE_BOOT_COMPLETED: App gets to know when you restart your phone and force itself to launch on boot. Can strain your boot process & memory too
- REORDER_TASKS: Allow Apps to bring itself to Foreground if running in the background. Suddenly an App running an Ad can force itself to be seen
- SUBSCRIBED_FEEDS_READ: Apps can read your RSS feeds and create your persona based on interests
- WRITE_USER_DICTIONARY: This permission allows App to add custom words to your dictionary which can be used during auto-correct. The misuse possibilities with this are endless
There are several other permissions like ACCESS_NETWORK_STATE, ACTIVITY_RECOGNITION, FLASHLIGHT, GET_ACCOUNTS, SET_WALLPAPER which do not require any permission and a smart rogue developer can misuse by combining a few of them.
Bottom line: Be selective about which Apps you download on your Android phone. While you can control the access to dangerous permissions, you may be at risk just by downloading some apps.