Why Apps Request Excessive Permissions
When you install a new app and it asks for access to your contacts, location, or microphone, there are two possible reasons: the app genuinely needs that data to function, or it is harvesting data beyond what its core purpose requires. Both happen routinely, and the distinction is often opaque to users who tap "Allow" without reading the prompt.
Many legitimate apps over-request permissions as a precaution — asking for access they might use eventually — while others are explicitly designed to collect as much personal data as possible for advertising, sale to data brokers, or outright malicious purposes. The permission screen is your last line of defence before granting an app access to sensitive parts of your device.
Permission Types and When They Are Suspicious
Different permission types carry very different risk profiles. Understanding what each one grants helps you spot requests that don't make sense for the app in question.
- Contacts — grants read access to your entire address book, including phone numbers and email addresses. A game, weather app, or flashlight has no legitimate need for this. Harvested contact lists are valuable for spam, phishing campaigns, and social engineering
- Location — distinguish between "while using the app" (reasonable for navigation) and "always" or background location tracking. An app that tracks your location continuously builds a precise log of where you live, work, worship, and socialise
- Microphone — required for voice calls and voice search, but a flashlight, calculator, or image filter app has no reason for microphone access. Apps with microphone access can in theory listen passively
- Camera — needed for photography apps, video calls, and QR scanners. A calculator or unit converter requesting camera access is a clear red flag
- SMS (Read/Send) — the most dangerous permission for most users; see the alert below
- Storage / Files — grants the ability to read files on your device. Legitimate uses exist (document editors, media players), but broad storage access can expose photos, documents, and cached credentials
SMS permission is particularly dangerous. An app with SMS read access can intercept the one-time passwords your bank, email provider, and other services send via text message — effectively bypassing SMS-based multi-factor authentication entirely. Only messaging apps should ever have this permission.
How to Audit App Permissions
Both Android and iOS allow you to review and revoke permissions for any installed app. Make this a routine after installing anything new, and revisit your permissions every few months.
On Android: go to Settings, then Apps (or Application Manager), select the app you want to audit, and tap Permissions. You can toggle each permission individually. Alternatively, go to Settings → Privacy → Permission Manager to see all apps that have been granted a specific permission at once — useful for finding every app with microphone or location access.
On iOS: go to Settings, scroll to Privacy & Security, and tap a permission type (Location Services, Contacts, Microphone, etc.) to see every app that has requested it and what level of access they have. You can also tap an individual app in the Settings list to see all permissions it has requested.
Red Flags and Stalkerware
Certain patterns should trigger immediate suspicion regardless of what an app claims to do:
- Apps from unknown developers outside the official app stores requesting extensive permissions
- Permissions that have no conceivable connection to the app's stated function
- Apps that refuse to work unless you grant optional permissions — legitimate apps should function without data they merely want but don't require
- Stalkerware — malicious apps designed to hide from the device owner while monitoring calls, messages, location, and activity. These are often disguised as system utilities, battery optimisers, or device cleaners and are frequently installed by someone with brief physical access to the device
After installing any new app, review its permissions immediately and revoke anything unnecessary. If an app stops functioning when you revoke a permission it has no reasonable need for, that itself is a signal worth investigating.