No one should be downloading a flashlight app in the Year of Our Lord 2019 — that’s why both Google and Apple have integrated the ability into their devices as part of the base operating system. Avast security researcher Luis Corrons decided to evaluate the security of flashlight apps after the wave of concern around the Russian-owned Faceapp software. According to his work, there are still 937 flashlight applications on Google Play, despite the fact that Flashlight capabilities are baked into the Android OS. Many of these applications request far more permissions from end users than they ever need to function.
Instead of being limited to the functions you’d expect a flashlight to need (access the LED flash itself, download ads from the internet, and lock-screen access so the flashlight can be turned on or off without unlocking the device), many of these apps request far more. The average number of permissions requested by app is 25. 408 applications request 10 permissions or fewer, but 262 of them require 50 permissions or more. The table below shows the worst offenders:
Now, just because an application is requesting a lot of permissions doesn’t necessarily mean it is requesting them for nefarious purposes. But when Corrons dug deeper, the issues kept getting worse. A massive number of applications request permission to kill background processes, access your fine-grained location data, control Bluetooth connections, record audio, download data without notification, and write to your contacts list. A few even process incoming calls.
As Corrons discusses, the reason these apps have such ludicrous permissions isn’t because they’re actually trying to hook you up with Nigerian princes with large fortunes to dispose of. It’s undoubtedly so they can gather data and then sell it to other firms as part of their efforts to endlessly monetize all of human existence. He steps through how some of these apps are developed by studios with multiple multi-million downloads on the app store. All of the apps require the same invasive permissions, and they’re almost certainly funneling data to the same invisible group of partners.
Google, of course, could stop this kind of garbage in its tracks by forcing app developers to only request permissions that they can plausibly prove they need, and by tightening the approval process to make this kind of rampant data-collecting against its own terms of service. Google doesn’t, because that would alert people to how much of their own daily device usage is uploaded to third-party corporations in the first place. The companies that take advantages of loose user permission requirements aren’t exploiting a loophole; they’re using the system in the manner in which it’s intended to operate. Corrons notes that it’s extremely important for users to be aware of what kind of permissions their applications request. This is true, but it also puts the impetus of fixing the problem solely on the end-user.
Google has allowed its app store to be abused by people who are running massive data harvesting regimes — and it’s on Google to fix that problem, not end-users. Nobody should be downloading a flashlight app on a modern device. But Google shouldn’t be allowing applications to request permissions that they have no business requesting, either.