Mobile apps often request more access than they need, exposing businesses to unnecessary risk. Dangerous permissions let Android apps tap into sensitive user data and device functions such as reading messages, recording audio, accessing stored files or tracking real-time location. On iOS, dangerous entitlements grant apps elevated privileges that can bypass built-in security controls and tap into protected system-level features.
Overreaching permission and entitlements expand the mobile attack surface, thereby increasing the chances of compromising corporate data and privacy. Many mobile apps have perfectly legitimate reasons for requesting certain types of data to function, such as a video app requesting access to photos or a quick-serve restaurant mobile app requesting location tracking. It’s the combination of these dangerous permissions and other common mobile app risks that can lead to trouble.
Whether abused by attackers, exploited by shady SDKs or mishandled by developers, dangerous permissions and entitlements can open the door to data leakage, surveillance, tracking and data harvesting. This blog breaks down how dangerous permissions and entitlements work in Android and iOS apps, where the risks lie and what you can do to mitigate the threat.
Whether abused by attackers, exploited by shady SDKs or mishandled by developers, dangerous permissions and entitlements can open the door to data leakage, surveillance, tracking and data harvesting.
Dangerous Permissions Put Privacy at Risk
NowSecure performs automated mobile application security testing to identify security, privacy and compliance risks in mobile apps. Our assessments of more than 378,000 Android apps over the past year found 62% requested one or more dangerous permissions. On iOS, out of 335,000 assessments conducted during the same period, nearly 31,000 apps used dangerous entitlements. Across both platforms, 37% of all assessments found risky permissions. Learn more about the most common issues our analysis has uncovered over the years in this talk from NowSecure Founder Andrew Hoog, “525,600 Assessments Later: Top Mobile App Risks Since 2022.”
Android: Dangerous Permissions and Overreaching Access
What Are Dangerous Permissions?
On Android, dangerous permissions are those that grant access to sensitive user data or critical system functions. Examples include:
READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE
RECEIVE_SMS / SEND_SMS
RECORD_AUDIO, ACCESS_FINE_LOCATION, CAMERA
Although these permissions require user approval at runtime, they’re frequently granted without scrutiny or thought. According to a CyberNews analysis of the top 50 apps in Google Play, Android apps require an average of 11 dangerous permissions listed in their manifests, with communication and shopping apps being the most data hungry. (An Android manifest file describes essential information about the app.)
CyberNews found the most requested permissions include:
Post notifications
Write external storage
Read external storage
Camera
Record audio
Read media images
These permissions can be misused in isolation or worse, combined with third-party SDKs to create privacy-invasive, ad-targeting surveillance machines.
The Android developer guidance emphasizes the principle of least privilege — that is, apps should only request what’s necessary for a specific function and no more. “When the user requests a particular action in your app, your app should request only the permissions that it needs to complete that action,” states the Android Developer Documentation. Unfortunately, many apps don’t follow this best practice.
iOS Entitlements and the Illusion of Safety
Unlike Android’s permission model, iOS entitlements confer specific capabilities or security permissions defined in the app’s signature. Apple Developer documentation notes they enable special access to system-level features such as:
Network extensions
File system operations
Background processes
Access to sensitive APIs
Some entitlements are private and undocumented, often reserved for Apple or trusted partners. But security researchers have uncovered growing abuse of these hidden channels that can invite spyware or malware on compromised or jailbroken devices.
Recent analysis revealed that more than 40,000 iOS apps use private entitlements, many sideloaded or installed via enterprise certificates. This bypasses App Store security and increases the risk of app sandbox escapes, surveillance of user behavior and exploits that leverage privilege escalation.
Popular Apps Request Unnecessary Access
Apple enterprise management solution maker Jamf conducted an extensive study of 100,000 iOS apps to highlight the data apps collect. The study found that popular apps request excessive permissions that don’t serve the app’s core function. The most frequently requested permissions are as follows:
Photos
Camera
Location
Microphone
Not surprisingly, the top categories of apps that requested such permissions are photo & video, shopping apps and social networking. Even when not essential to core app functionality, these data access requests persist — exposing businesses and users to unnecessary risk.
The Enterprise Impact
Granting an Android app dangerous permissions or using an iOS one with dangerous entitlements opens the door to several risks, including surveillance, sensitive data exfiltration and advertising profiling and behavioral tracking. And location data exposure can even jeopardize physical safety.
The risks include:
Data Leakage: Sensitive information can be accessed, stored or transmitted without oversight.
User Tracking: Cross-app surveillance and behavioral analytics compromise user privacy.
Shadow IT: Apps downloaded outside official IT channels may bypass policy enforcement.
Compliance Risk: Violating GDPR, HIPAA or other data privacy regulations can be costly.
Brand Damage: A mobile app breach can erode user trust and damage corporate reputation.
Mobile Application Risk Intelligence (MARI)
Read More
Best Practices for CISOs and AppSec Leaders
Individuals and organizations can take steps to protect themselves from unnecessary permissions. The Cybersecurity & Infrastructure Security Agency (CISA) advises users to install only necessary apps, deny permissions that aren’t essential and remove unused apps regularly.
CISOs and application security leaders should adopt comprehensive mobile app risk management programs to safeguard corporate data and protect their organizations’ digital footprints.
1. Enforce Least Privilege in Development
Mandate that internal and third-party developers request only the permissions required for app functionality.
2. Vet Third-Party SDKs
Apps with embedded SDKs often introduce silent, bundled risk. Assess all third-party components for privacy and security implications through NowSecure Mobile Pen Testing as a Service (PTaaS) or automated testing.
3. Continuously Monitor Permissions and Entitlements
Use automated mobile application security testing solutions like NowSecure Platform to detect dangerous permissions and entitlement abuse throughout the app development lifecycle.
4. Assess Third-Party Apps for Risk
Evaluate the security and privacy posture of third-party mobile apps with NowSecure Mobile App Risk Intelligence before bringing them to the enterprise and continuously monitor them to manage risk.
Safeguard Your Mobile Ecosystem
Dangerous permissions and entitlements in mobile apps can expose your organization to data leaks and compliance risks. Security leaders must identify and manage these threats proactively. Contact NowSecure for help strengthening mobile app risk management to protect the business.
The post How Dangerous Mobile App Permissions Threaten Enterprise Security appeared first on NowSecure.