Improving User Choice Through Better Mobile Apps Transparency and Permissions Analysis

Our personal information, habits, likes and dislikes can be all deduced from our mobile devices. Safeguarding mobile privacy is therefore of great concern. Transparency and individual control are bedrock principles of privacy but making informed choices about which mobile apps to use has been shown to be difficult. In order to understand the dynamics of information collection in mobile apps and to demonstrate the value of transparent access to the details of mobile applications information access permissions, we have gathered information about 528,433 apps on Google Play, and analyzed the permissions requested by each app. We develop a quantitative measure of the risk posed by apps by devising a ‘sensitivity score’ to represent the number of occurrences of permissions that read personal information about users where network communication is possible. We found that 54% of apps do not access any personal data. The remaining 46% collect between 1 to 20 sensitive permissions and have the ability to transmit it outside the phone. The sensitivity of apps differs greatly between free and paid apps as well as between categories and content rating. Sensitive permissions are often mixed with a large amount of low-risk permissions and hence are difficult to identify. Easily available sensitivity scores could help users making more informed decision about choosing an app that could pose less risk in collecting personal information. Even though an app is “self-described” to be suitable for a certain subset of users (i.e children) it might contain content ratings and permission requests that are not appropriate or expected. Our experience in doing this research shows that it is difficult to obtain information about how personal data collected from apps is used or analyzed. In fact only 0.37% (1,991) of the collected apps show to have declared a “privacy policy”. Therefore, in order to make real control available to mobile users, apps distribution platforms should provide more detailed information about how their data if accessed is used. To achieve greater transparency and individual control, apps distribution platforms which do not currently make raw permission description accessible for analysis could change their design and operating policies to make this data available prior to installation.