A new comparison of 17 of the most popular reader apps, compiled by Matt Bernius, answers that question, and in some cases users may be revealing much more than they think.
No less than 4 of the apps tested required access to location information (NYTimes, DC, Marvel, and comiXology); half of them ask for “phone state and identity”, which would let them grab people’s phone numbers and IMEI numbers; and a couple can retrieve a list of other running apps.
Editor’s Note: A little digging has revealed that the “phone state and identity” permission stopped scaring everyone about 2011 (or so the Google search results suggest). And given that most of the apps that request it are tied to accounts with your contact info and credit card details, grabbing your phone number isn’t such a big deal – for most of the apps.
Android apps are required to specify what sort of access to the phone they can use, but these “permissions requests” screens can be opaque, and without a chart like this one, it can be difficult to tell if there are subtle but legitimate reasons why a particular class of app needs a particular type of permission.
Editor’s note: In some cases the excess permissions aren’t that unreasonable. For example, Kobo requires nearly as many permissions as Google Play Books, but that could be because Kobo’s reader analytics uses Google Analytics platform to pass data from the app to Kobo’s servers (that’s how it works on the Kobo Touch, anyway).
Click the chart to view it full-size. This chart is another valuable resource for readers looking to bring their privacy into the digital world. We’ve previously compared the privacy practices of different sources of ebooks.
Unfortunately, Android permissions operate on a “take it or leave it” model. Google briefly included a hidden privacy feature that allowed users to deny certain requested data and access to apps, but has removed it in the latest version of Android. There ways to get the privacy control back if you have a rooted device or install Cyanogenmod. But mainstream Android users are out of luck.
Editor’s Note: He’s not wrong. By preventing the user from controlling their Android device, Google has created a situation that is inherently unsafe. The only way for users to protect themselves is to be careful about the apps they install, and given that malware can sometimes be hidden inside legit apps that is not as simple of a task as it might sound.
And Google: it’s high time you promised to bring App Ops back, with an appropriate plan to expand the interface to work with all the important permission types, and with a plan for app developers to transition to a model with proper privacy controls.
reposted with additions under a CC license from EFF.org
image by _mixer_