Your Apps & Permissions
Every permission you grant is a door. Most people open dozens of doors they never intended to open, on apps they no longer use, for data they do not realise is being collected.
The Flashlight App
A 2023 investigation found a popular flashlight app on the Google Play Store had been quietly accessing users' microphones in the background.
The app had over 10 million installs. It worked fine as a flashlight. It also held microphone permission that users had granted during installation without reading why a flashlight would need to listen.
The collected audio data was sent to a server in a jurisdiction with no data protection laws. The developer generated revenue by selling the recordings to a third party that analysed them for consumer research.
The permission was granted in 2021. It was collecting data until the app was delisted in 2024. Most users never knew.
What Is Actually Happening: The Permission Economy
89%
of Android apps request at least one dangerous permission they do not need for their stated function.
Over-permissioning is standard practice in the app economy, not an edge case.
Source: ENISA Threat Landscape for Mobile, 2024"Always On" Means 24/7 Tracking
"Always on" location permission means the app tracks your position even when it is closed. Most apps only need location "while using" - never always on.
Contacts Access Exports Your Entire Network
Granting contacts permission sends every name, number, and email in your address book to the app's servers. This is used to build social graphs and target your contacts with ads.
Deleting an App Does Not Delete Its Data
Removing an app from your phone removes the app. Data already sent to the developer's servers remains and is governed by their privacy policy, which you agreed to on install.
Sideloaded Apps Skip Security Review
Apps installed outside the App Store or Google Play bypass the security review process. Malware is routinely distributed through unofficial app download links in messages and emails.
What Each Permission Actually Gives
Understanding each permission makes the decision simple.
Location reveals where you are and have been. "While using" is appropriate for maps and delivery. "Always on" is almost never appropriate.
Microphone gives access to audio from your surroundings, not just calls you initiate. A game, shopping app, or keyboard has no legitimate reason to access your microphone.
Camera allows the app to activate your camera. Legitimate uses include video calling and document scanning. An app with no camera feature requesting this permission is a red flag.
Contacts exports your entire address book. Messaging apps need it. Fitness apps, games, and most other categories do not.
Storage allows reading and writing files on your device. File managers and document editors legitimately need this. Most other app categories should not have broad storage access.
Call logs exposes who you call, how often, and for how long. Only your phone dialler has a legitimate reason to access this.
The Over-Permission Signal
When an app asks for more than it needs to function, that request is telling you something about its business model.
A flashlight asking for microphone access. A weather app asking for contacts. A game asking for call logs. These permissions are not required for the app to work. They are required for the app to profile and monetise you.
Over-permission is not always malicious intent. It is sometimes lazy development. But the practical consequence - your data being collected and sold - is the same either way.
How to Audit Right Now
On Android: Settings > Privacy > Permission manager. This shows every permission category and which apps hold each one.
Or: long-press any app icon, tap App info, then Permissions.
On iPhone: Settings > Privacy & Security. Each permission category is listed. Tap any to see all apps holding it.
Or: Settings > [App Name] to see all permissions for a specific app in one view.
Try It: Permission Audit Guide
Select your OS. Work through each permission category - who legitimately needs it, who never should, and the exact path to revoke it.
What That Just Showed You
1. Location, microphone, camera, and contacts are high-sensitivity permissions. These four grant access to your physical world. Apply extra scrutiny before granting any of them.
2. "While using" is almost always sufficient for location access. If an app requests "always on" location, the question is why. For nearly all apps, there is no legitimate reason.
3. Unused apps retain active permissions. An app you have not opened in six months still holds everything you granted it. Delete unused apps or revoke their permissions individually.
4. Data already collected does not disappear when you delete the app. To request deletion, use the "delete my account and data" option in the app's settings, or contact the developer under your data rights.
Three Things Worth Doing
1. Open your permission manager now and check microphone and camera. Look for any app that has microphone or camera access but has no obvious reason to need it. Revoke immediately.
2. Change location access for all apps to "while using." Go through Location Services and downgrade any "always on" settings. Few apps legitimately need continuous location tracking.
3. Delete apps you have not opened in 3 months. They are still holding permissions and potentially still collecting data. Remove them.
One Question Before You Continue
A popular flashlight app had microphone permission enabled. The user never noticed because the app worked perfectly as a flashlight. What does this tell you about how over-permission works?