A light, a light, my privacy for a light.


(Apologies to William Shakespeare.)  Last night, I wanted a flashlight app for my Android phone [if you must know, I was cleaning up after the dog, outside].   So, I went and looked in Google Play [the thing that used to be named the Android Market], and I found that all the free flashlight apps wanted insane, invasive permissions.

What permissions does a flashlight actually need?    Well, what does a flashlight app actually do?  It simply displays a screen full of white.  It doesn’t need any data to do that.   The one permission that a flashlight may need is the ability to keep your phone from going to sleep, just so that the flashlight doesn’t unexpectedly go off after a minute or two.

But, what did I find amongst the free apps?

  • Brightest Flashlight Free needs your location.   What the heck?   A flashlight in Kansas is a flashlight in Iowa; why does it need to know where I am?    It needs full internet communication.   It needs the ability to write to permanent memory; it needs some access to your phone.  What kind of app would need all those permissions?
  • This is probably an advertising app.   An advertising app would want internet access to get the ads that it will show you.  It wants to know where you are to show you more interesting advertisements.   [Personally, though, I don’t want many apps knowing my Fine GPS position.  Fine position will tell people exactly where you are and where you live.  It’s much more invasive than coarse positions, which will only tell people what neighborhood you live in.]
  • Access to your SD card is somewhat mysterious.   I suspect that it wants the ability to make up a unique identifier for you and store it on your SD card, so that the advertisers can keep track of which ads they have shown you.    But, it’s hard to tell.
  • Why do they want access to your phone?   It might be as simple and innocent as the need to turn the flashlight app off if a phone call comes in.   Again, it’s hard to say without looking inside the app at the code that they actually use.   [Unfortunately, the current Android permissions scheme lumps together some permissions that might better be separated.  It would be nice if the ability to detect that you have an incoming phone call was separated from the ability to see who you are calling.]
  • Here’s another flashlight app that that looks even more evil.   In addition to the above stuff, an app called Flashlight wants the ability to modify your system’s configuration and turn your phone on and off.    Why would a flashlight app want to turn your phone on?   Can you think of one possible reason that’s not evil?   I want a flashlight to turn on when I push the button, not any other time.
  • Of course, when someone else turns the “flashlight” app on, I’m sure it won’t be lighting up. It only calls itself a flashlight app.   What it’ll be doing is quietly spying on you.
  • As for modifying the system configuration, I’ll quote Google on what that permission means: “Allows the app to modify the system’s settings data. Malicious apps may corrupt your system’s configuration.”    And, we’re already pretty sure it’s malicious, or at the least it’s very invasive.

Some permissions are ambiguous.   Lots of apps want access to your camera, but why?   Possibly the app wants it to take pictures of you, but more likely it wants to use the camera’s flash as a flashlight.    I can’t see them really wanting pictures: most of the time, the camera isn’t pointed anywhere interesting, and it would take some sophisticated image processing software to even begin to separate all those pictures of the ceiling above the kitchen counter (taken when your phone is charging) from the few that might have value to someone.   [When you think “value”, it’s more likely that the guys who wrote the app are thinking about “making money” instead of really evil purposes.]

In the 5 minutes I spent standing outside, I didn’t find a free flashlight that I would dare to put onto my phone.   [Admittedly, I only looked the most popular six.]  But the first paid app I looked at was entirely reasonable.   That’s a different app called Flashlight, but this one is by bleepbloop.org [link here].  It only uses the screen, so it’s not as bright as ones that use the camera’s LED, but it works, it’s tiny, and the only permission it requests is the ability to keep the phone from turning off.   It costs $0.99, which seems a fair price.

That seems to be the story all across the Google Play Market.  You get what you pay for.   If you want a free app, you’ve got to ask yourself how the authors make their money.  The answer is — frequently — that they are going to show you some advertising.  Sometimes, they’ll watch you and sell your data to someone who wants to advertise to you. But sometimes, it could be something worse.  Be careful.