It’s no secret that Facebook can track pretty much every detail about your personal life. But did you know that Happy Fish—a popular kids game based on the Android operating system—might be a worse privacy offender?
Happy Fish’s developer, HappyElements, programmed the game so that it can collect a trove of information about you (and your kids) through the app. The game knows your precise location, has access to your photos and can read your text messages. It can even tell which Wi-Fi network you’re using.
We’ll get to why the game does this in a minute—and what it does and doesn’t do with that information—but let’s just pause for a second.
This is a bit creepy, right?
Plenty of people think so. Just check out some of the reviews on hit games. Fruit Ninja, for instance, consistently weirds people out with the personal data it asks them to fork over. The permissions “are crazy,” writes one reviewer. “I will never install this until it is clear as to why the developer needs access to all your private content.”
We reached out to Jason Hong, a professor of computer science at Carnegie Mellon and founder of PrivacyGrade.org, a site that ranks apps by how well they respect your personal privacy. Hong is a leading researcher on app security. So we asked him: What do the most downloaded apps know about us, and what do they do with that information?
Hong helped us run an analysis of these apps– and you can see the results in the chart below. We chose to focus on Android apps for a couple of reasons. First, there are about a billion Android users, which gives them about 62 percent of the smartphone market, compared with Apple’s 33 percent. Second, Android, unlike Apple, makes it easy to run a robot to retrieve the permission data easily. But our findings are relevant for any mobile phone user—it’s a barometer of what app makers think they can get away with.
As you’ll see from our chart, running down the left side, we’ve listed 25 of some of the most popular apps in the Google Play store, including Skype, Facebook and WhatsApp. There are actually about 60 permissions that these apps can ask for—everything from making your phone vibrate to accessing your camera. (You can find a full list of all the potential permissions here.) For practical reasons, we asked Hong to highlight four permissions that he thought were potentially the most alarming. Across the top, we list those four: contacts, text messages, call log and microphone. All of these are pretty straightforward, but the microphone permission is especially eerie. Imagine all the audio around you being recorded by some app, without your knowledge.
To be clear, these apps don’t actually activate your microphone until you tell them to (e.g. you make a phone call on the Skype app), but in the future, that may change. Facebook freaked out users in May when it announced a new (optional) feature that would let the microphone listen in on your conversations.
Our chart ranks the apps (top to bottom) that ask for the most permissions. As you can see, AntiVirus Security, Viber and Facebook top the charts in terms of the number of permissions they request. But it’s not at all uncommon for apps to request the four pieces of personal data that we’re hightlighting. In fact, more than half of the 25 apps have access to your contacts, and about a third tap into your text messages, call log and microphone.
If you’re an Android user, this might make you a little uncomfortable. Most people probably don’t even pay attention to the permissions page that pops up before they download an app. It definitely asks you to accept the list of permissions the app is requesting, but it all happens extremely fast. It’s like checking the box on a “terms and conditions” page—easy and forgettable. Most people also probably don’t know that once they’ve download the app, the app will never again ask for permission for anything it’s accessing.