SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 245: Controlling Permissions on Devices

Posted on September 3, 2021

This week on The Checklist:

The lowdown on iOS app permissions

If you’ve listened to The Checklist for a while, you’re already pretty familiar with the issue of data-hungry apps.

But sometimes it can feel like a very vague and undefined problem. Yes, we know that “lots” of apps out there are trying to hoover up as much of our personal information as possible. And we know that they collect this data in a variety of ways.

But which apps are doing it? Where are they collecting our data? Specifics can be hard to come by.

The folks at Jamf, an Apple device management firm for enterprise, have tried to shed some light on the problem by publishing a study entitled An Analysis of iOS App Permissions. The study took a detailed look at the top four permissions requested by iOS apps:

  • Photos
  • Camera
  • Location
  • Microphone.

Jamf also looked at apps requesting permissions by app category:

  • Photo & Video
  • Social Networking
  • Shopping
  • Food & Drink
  • Business
  • Productivity

Here are some highlights from their study:

Photo & Video apps

Apps like YouTube, FaceApp, and Splice are the least shy about asking to see your Photos — they request access 96% of the time.

Perhaps unsurprisingly, they’re also the top category when it comes to requesting Camera access, which they do with a 90% frequency.

However, apps in the Photo & Video category are less likely than some other types of app to ask for location permissions — they only do this 68% of the time.

Social Networking apps

Social Networking apps want to hear what you have to say … literally. They ask for Microphone access more than any other app category: 69% of the time. 

Like Photo & Video apps, apps in the Social Networking category are not averse to asking to see your camera roll — they request Photos access 84% of the time. They also tend to ask for Camera access, doing this with 83% frequency.

Facebook is famous for trying to see your location data, so it’s probably no surprise that social media apps as a whole come in second when it comes to asking for Location permissions: They do this in 72% of cases.

Shopping and Food & Drink apps

Shopping apps seem to love a good photo! They ask for Camera access just as often as social networking apps do: 83% of the time. That may sound a bit weird, but it’s plausible if you consider that these apps are probably using the camera to scan QR codes.

Less plausible is the fact that shopping apps ask to see your Photos 87% of the time. It’s unclear why Amazon, eBay, or Shop would need to see what you’ve taken pictures of …

Shopping apps are also big on location. They tie for first (along with Food & Drink apps) when it comes to requesting Location permissions, doing this 81% of the time. This one actually makes sense: The Food & Drink category includes apps like DoorDash and UberEats, which kind of need to know where you are in order to bring you your tacos. Shopping apps may also have a legitimate use for your location data, since a lot of these apps will often recommend nearby businesses if you’re trying to buy something specific.

Business and Productivity apps

Business apps ask for camera access almost as much as Social Networking apps: 75% of the time. That might seem a little odd at first, but bear in mind that this category includes apps like Slack, Zoom, and WebEx, so a fair amount of camera use is to be expected.

Business apps and Productivity apps both ask for Microphone access with 41% frequency. That’s another one that might seem strange until you remember that business apps include meeting tools like Zoom. Productivity apps include things like Google Calendar and the scheduling tool TimeTree, and here again, it does make some sense that people would want to be able to use a quick voice command to tell those apps to set a reminder or schedule an appointment.

Sharing is not caring

Since the introduction of iOS 14, you can now control a lot of what you share with an app (or don’t share with an app), often in a highly granular way. In addition, the iOS app sandbox has for a long time been a built-in safeguard meant to prevent one app from talking to another on your device. But as researchers at Jamf point out, these protections aren’t always enough to stop apps from learning about you:

The app sandbox is intended to prevent apps from sharing data between them, but various tracking approaches circumvent that — even though the apps aren’t communicating directly … By connecting various backend services and web interactions, an advertiser can piece together an accurate picture of a user based on their online behavior.

For example, ad identifier data can share information about you with ad networks to serve you targeted ads. This is what’s behind the creepy “search for something in Google and see it come up in a Facebook ad the next day” experience.

Apple is doing what it can to stop this. It introduced App Tracking Transparency in iOS 14.5 in order to combat just this type of tracking and sharing.

But there are other areas of concern.

Apps that access your photos may also be able to read associated GPS metadata (if you have this turned on). That means that by sharing Photos permissions with an app, you may inadvertently share your location as well.

In addition, apps with clipboard access may be able to see what you’re copying and pasting from other apps (discussed more fully in Checklist 191: TikTok Talk with Patrick Wardle).

What can you do to protect yourself?

OK, so now you have a clearer picture of what types of apps ask for what permissions — and of how apps can circumvent iOS privacy protections. So what can you do? Jamf recommends that all iOS users take the following precautions:

  1. Don’t just click OK

    iOS lets you know when an app is requesting access to your Photos, Camera, Microphone, or Location. Read these notifications carefully, and take a second to ask yourself if the request actually makes sense. Is a weather app asking for your approximate location? That makes some sense: It can’t give you an accurate forecast if it doesn’t know what city you’re in. Is the same app asking to see your Contacts? That makes far less sense. Don’t be shy about telling an app “no” — and remember that you can always change the app’s permissions later if you need to.

  2. Eliminate high-risk apps

    Apps in the Photo & Video, Shopping, and Social Networking categories ask for permissions the most. If you have a lot of apps in these categories, take a second to go through them and delete the ones you don’t use. This will lower your overall risk of unwanted data sharing.

  3. Review app permissions

    For apps that you want to keep on your device, take a moment every now and again to audit their permissions. You can find a list of the various app permissions at Settings > Privacy. Click each one to see what permissions the different apps on your device currently have. You can often control these with a simple toggle switch.

  4. Be an “in use” user

    If you’re going to grant Location permissions to an app, you’ll have the option to give it location data “only while in use”. Make this your default option for apps that you share location data with. There are few legitimate cases where an app would need to access your location while you weren’t using it. Don’t overshare for no reason.

For more helpful privacy and cybersecurity information, check out The Checklist archives, where you’ll find full notes and audio for every episode of the podcast we’ve ever recorded. Do you have a question that you’d like to hear answered on a future show? Write to us and let us know!

Join our mailing list for the latest security news and deals