App Permissions — What They Actually Access and Why Some Apps Shouldn't Have Them

The TLDR

App permissions are contracts written in plain English that nobody reads. When an app asks for “access to your contacts,” it gets your entire phonebook — names, numbers, emails, and sometimes physical addresses — uploaded to a server you don’t control. When it asks for “location always,” it tracks you 24/7 whether the app is open or not. Most people tap “Allow” because the app won’t work otherwise. Here’s what you’re actually handing over, permission by permission, and which combinations should make you delete the app immediately.

The Reality

The average smartphone has 40 apps installed. Each app requests 5–10 permissions. That’s 200–400 individual access grants to your camera, microphone, location, contacts, files, and sensors — most of which you approved on autopilot during setup.

A study by the Pew Research Center found that 60% of people have decided not to install an app after learning how much data it collects. But only 9% have actually reviewed their existing permissions.

How It Works

The Permission Dictionary

Camera: The app can activate your front or rear camera at any time it’s running (foreground or background, depending on the permission level). It can take photos and record video. Combined with background processing, an app with camera access can theoretically take photos without showing any UI indication.

Microphone: The app can record audio. This is the permission that powers voice assistants — and the one that makes people worry about being “listened to” by their phone. While mass audio surveillance by apps would be detectable and is legally actionable, individual cases of apps activating microphones outside their stated purpose have been documented.

Location — Three Levels:

• While Using: Location only when the app is open and visible. This is the reasonable default for maps and navigation.
• Always: Location access 24/7, whether the app is open or not. Very few apps legitimately need this. Weather apps don’t need it. Shopping apps definitely don’t need it.
• Precise vs. Approximate: iOS and Android now distinguish between exact GPS coordinates (precise) and a general area of ~3km² (approximate). A food delivery app needs precise. A news app needs neither.

Contacts: Your entire phonebook — names, phone numbers, email addresses, and any additional fields like physical addresses or birthdays. Facebook used contact permissions to build its “People You May Know” feature, matching uploaded phonebooks across billions of accounts. The FTC documented how this created connections people never intended — therapists connected to patients, anonymous individuals connected to people they were hiding from.

Calendar: Your schedule — events, times, locations, attendees, and notes. A calendar permission gives an app your meeting schedule, doctor’s appointments, and travel plans.

Storage / Photos: Access to files on your device. On newer Android and iOS versions, this is scoped — apps can request access to specific file types (photos, videos, audio) rather than the entire filesystem. On older systems, “storage” meant everything.

Phone (Call Logs): Your call history — who you called, who called you, duration, and timestamps. This is a behavioral profile of your social network.

SMS: Your text messages — content, sender, timestamps. This permission is required for some 2FA apps that read verification codes automatically. It’s also abused by apps that harvest message content.

Body Sensors: Heart rate, step count, and other biometric data from the phone’s built-in sensors or connected wearables.

Activity Recognition: Whether you’re walking, running, driving, cycling, or stationary. Google’s Activity Recognition API provides this to any app that requests it. It’s a behavioral profile of your daily routine.

The Combination Problem

Individual permissions are concerning. Combinations are alarming.

Camera + Microphone + Location (Always): A surveillance toolkit. An app with these three permissions can see where you are, hear what’s happening, and see what’s in front of you — at all times.

Contacts + SMS + Phone: Your entire communication profile. Who you know, who you talk to, what you text about, and your call patterns.

Location (Always) + Activity Recognition + Body Sensors: A complete behavioral and biometric profile. Where you go, how you get there, how active you are, and your health indicators.

The Abuse Cases

Facebook’s Contact Harvesting

Facebook’s “People You May Know” feature was built on contacts uploaded from billions of phones. The recommendation algorithm created connections that exposed:

• A psychiatrist’s patients to each other
• An anonymous sperm donor to his biological children
• A woman hiding from an abusive ex-partner to accounts connected to him

Facebook never disclosed to the people in your contacts that you’d uploaded their information to Facebook’s servers.

Background Location Collection

A 2018 Associated Press investigation found that Google tracked Android owners’ locations even when Location History was explicitly turned off. Google services recorded location data through Google Maps, weather updates, and web searches — separate from the Location History toggle.

Temu’s Permission Profile

The Temu class action filings alleged that the shopping app requested permissions far beyond what a marketplace needs:

• Camera and microphone access
• Access to contacts
• Access to call logs
• Precise location (always)
• Storage access to all files

This combination creates what the plaintiffs described as “spyware-level” access. A shopping app has no legitimate need for your call logs or microphone. The permissions exist for data collection.

Android vs. iOS Permission Models

iOS

Apple’s permission model is generally more restrictive:

• Apps must request each permission individually with a plain-language explanation
• App Tracking Transparency (ATT): Since iOS 14.5, apps must ask permission before tracking you across other apps and websites. Only ~25% of people opt in.
• Approximate location is the default option presented first
• Privacy Nutrition Labels in the App Store show what data an app collects before you install it
• Background location triggers periodic notifications: “This app has used your location X times in the last Y days”

Android

Android’s model has improved significantly but remains more permissive:

• Permissions are requested at runtime (since Android 6.0), not at install time
• “While using” location was added in Android 10, but “Always” is still available
• One-time permissions (Android 11+) for camera, microphone, and location
• Auto-revoke unused permissions (Android 11+) for apps you haven’t opened recently
• Google Play’s Data Safety section is self-reported by developers — not verified

The Pegasus Factor

NSO Group’s Pegasus spyware exploited zero-click vulnerabilities (CVE-2023-41064 in iOS, among others) to gain full device access without any permission prompt. Once installed, Pegasus could access everything — camera, microphone, messages, location, passwords — completely invisibly.

This is the extreme case, but it demonstrates that the permission model is a policy layer, not a security boundary. A sufficiently motivated attacker with zero-day exploits bypasses the entire permission system.

What You Can Do

The Permission Audit

Do this right now:

1. iOS: Settings → Privacy & Security → review every category (Location Services, Contacts, Microphone, Camera, etc.)
2. Android: Settings → Privacy → Permission Manager → review every category

For each app:

• Does this app need this permission to function?
• Does it need “Always” or would “While Using” work?
• Does it need precise location or would approximate work?
• When was the last time I used this app?

Rules of Thumb

• No app needs “Always” location unless it’s navigation or a find-my-phone service
• No shopping app needs microphone, camera, or contacts — revoke immediately
• Social media apps request everything — grant only what’s required for features you actually use
• If an app stops working when you revoke a permission, ask yourself if the feature that broke is worth the data you’re giving up
• Delete apps you haven’t used in a month — unused apps with active permissions are collecting data for nothing

Sources & Further Reading

• EFF: Mobile Privacy — practical mobile privacy guidance
• Temu Class Action Filings — documented allegations of excessive data collection
• Amnesty International: Pegasus Project — forensic methodology for detecting Pegasus spyware
• CISA Mobile Security Guide — federal mobile device security guidance
• Apple App Store Privacy Labels — Apple’s data collection disclosure framework
• Pew Research: Mobile Privacy — survey data on app permission awareness