March 18, 2012, 7:55 AM — Mobile apps are a privacy nightmare. Some apps are constantly connected to the Internet, and can upload your personal data--such as your private photos or documents--to a remote server without your knowledge or consent. While iOS users can generally depend on Apple's app-curating process to keep their data safe, Android users pretty much have to fend for themselves, left to rely on a cryptic system that doesn't seem to be working.
How Google's Permission System Works
Whenever you download an app from Google Play (the store formerly known as the Android Market), you see an alert that explains what information that app will be able to access once you install it on your phone; for instance, the alert will indicate whether the app needs to access your contacts list, or connect to the Internet. An app cannot use any part of the phone that it does not have permission to access, and the developer sets these permissions when it first submits the app to the Play store.
The Problem With Permissions
While the providing of this information is a good idea in theory, it doesn't work so well in reality. According to Joe Keehnast, a product manager for Norton, very few people actually look through an app's permissions before installing it.
Even if you were to read through the alert, you may not come away with much information: The permissions list can be extremely unclear and unhelpful. An app can request permission to use my network connection, for example, but I'm never sure what it's actually using that connection for. Some security apps, such as Lookout Mobile Security, feature "privacy advisors" that can give you a little more detail as to why an app would request certain permissions. At best, however, that is a workaround for a larger problem. Even with the extra information from security apps, you never see explicit details as to why, say, a browser app wants access to your phone's SMS function.
Confusion aside, the permission system as it is currently designed just does not work. In late February, the New York Times demonstrated an inherent flaw with the Android permission system by building an app that was able to access photos stored on an Android phone and copy them to a remote server. To accomplish that, the app needed only permission to access the Internet.