Android Apps are Stealing Your Data

AppOpsXposed Logo

I’ve written about this before and I’m doing it again.

The single, biggest reason why any Android user might want to consider root access is to take control of the otherwise unknown and often egregious permissions sought by apps on their device. Nowhere is this more apparent than on a newly-rooted phone that’s already seen some use—like the LG G3 I rooted yesterday.

Read on and be amazed at what’s been going on behind my back.

The screen grabs you are about to see are per-app permissions controls in AppOpsXposed. There are other means to the same end, like XPrivacy (another Xposed Module) or the permissions managers built into custom ROMs like CyanogenMod and, my current favourite, SlimKat.

And in case you’re confused by the toggles, I’ve set them to “off” only after discovering that my data has been leaked. In most cases it seems that your address book is the hidden cost of many so-called “free” apps…

Facebook Permissions

Ah yes, Facebook… the gold standard in data theft. I already knew that the app phones home with your entire address book as soon as you launch it; I had no idea, however, that it could do it without even running!

It’s not enough to delete the Facebook app from your phone; if someone else is using it, chances are Facebook already has your address and phone number. Not cool at all.

Twitter Permissions

Unlike Facebook I actually use the official Twitter client on my G3—but I know for a fact that I have never used the “find my friends” feature or anything similar. I’ve also turned off geo-tagged tweets; so why has Twitter helped itself to my contacts list and location?

McAfee Permissions

Here’s a typical example of on-device bloatware; my locked-to-Bell G3 came with McAfee Security preinstalled. I suppose you could make a case for a possible security threat delivered via MMS, but have you ever heard of a virus in an address book? Yeah, me neither…

Settings Permissions

Et tu, LG? Why would the native settings utility on my G3 need access to my contacts?

Okay, so maybe, maybe this permission is required to control how contacts are displayed (for example). Here’s another great thing about a permissions manager: If you didn’t want to give LG the benefit of the doubt you could toggle something to “off” and see what happens. If something breaks, just toggle the requested permission back to “on”.

In other words, you are in control of your device. And isn’t that what being a power user is all about?