The Fixation With App Permissions: Truecaller Requesting Irrelevant Permissions

Just Give Me Permissions! (Wtf, n.d.)

Background

Recently the phone number identification service Truecaller's Android app began showing notification and a message whenever the app is opened prompting users to get the latest features, which is a little odd since I have set up my Google Play Store app to auto-update apps (while on Wifi to save on data charges). The apps update themselves and when I use them and find the updates, it is a pleasant surprise.


Utility of App Permissions

If the update of an app requires new permissions than it already has, then the app cannot auto-update. Updating the app requires manual action from the user who has to consent to the newly requested permissions before the app can be updated (Chenon, 2013).

The purpose of these permissions is to help the user review the security and acceptable privacy of the app as per the stated goals of the app, and decide if he wants to install the app or not (Kelley et al., 2012).

Truecaller

Well, on Android, Truecaller version 7.71 (as on 21 November 2016) wants access to permissions including (emphasis mine) ("Truecaller: Caller ID & Dialer - Android Apps on Google Play", 2016):

Version 7.71 can access:
In-app purchases

Identity
    find accounts on the device
    add or remove accounts
    read your own contact card

Calendar
    read calendar events plus confidential information

Contacts
    find accounts on the device
    read your contacts
    modify your contacts

Location
    approximate location (network-based)
    precise location (GPS and network-based)

SMS
    read your text messages (SMS or MMS)
    receive text messages (MMS)
    receive text messages (SMS)
    send SMS messages
    edit your text messages (SMS or MMS)


Phone
    directly call phone numbers
    directly call any phone numbers
    modify phone status
    reroute outgoing calls
    read call log
    read phone status and identity
    write call log
    add voicemail

Photos / Media / Files
    read the contents of your USB storage
    modify or delete the contents of your USB storage


Storage
    read the contents of your USB storage
    modify or delete the contents of your USB storage


Microphone
    record audio


Wi-Fi connection information
    view Wi-Fi connections

Device ID & call information
    read phone status and identity

Other
    use any media decoder for playback
    bind to a notification listener service
    download files without notification
    MMS Wakeup
    read voicemail
    write voicemails
    receive data from Internet
    view network connections
    create accounts and set passwords
    change network connectivity
    disable your screen lock
    full network access
    change your audio settings
    control Near-Field Communication
    run at startup
    draw over other apps
    use accounts on the device
    control vibration
    prevent device from sleeping
    modify system settings
    install shortcuts
    uninstall shortcuts

Why does a phone number identification app require access to calendar (events plus confidential information), SMS/MMS, Near-Field Communication or microphone? I requested clarification on these permissions from Truecaller on Twitter but have not heard from them.

Impressions

This feels high-handed in that a useful service is shoving down high-risk permissions along with many simple and low-risk permissions, thus making it difficult to identify in the large collection of permissions, which as per Liccardi, Pato & Weitzner (2013) is a common trend among apps.

In addition, a sizeable amount of the high-risk permissions are not relevant to the app's primary stated purpose, "Truecaller identifies unknown callers and blocks nuisance calls" ("Truecaller: Caller ID & Dialer - Android Apps on Google Play", 2016), and I cannot make  the connection between identifying unknown numbers and accessing user's calendar events.

References

Chenon, R. (2013). Android app auto update on Google Play and permissions change. Stackoverflow.com. Retrieved 22 November 2016, from http://stackoverflow.com/a/17491309/216084

Kelley, P., Consolvo, S., Cranor, L., Jung, J., Sadeh, N., & Wetherall, D. (2012). A Conundrum of Permissions: Installing Applications on an Android Smartphone. Financial Cryptography And Data Security, 68-79. http://dx.doi.org/10.1007/978-3-642-34638-5_6

Liccardi, I., Pato, J., & Weitzner, D. J. (2013). Improving Mobile App Selection through Transparency and Better Permission Analysis. Journal of Privacy and Confidentiality, 5(2), 1-55.

Truecaller: Caller ID & Dialer - Android Apps on Google Play. (2016). Web.archive.org. Retrieved 22 November 2016, from https://web.archive.org/web/20161114230804/https://play.google.com/store/apps/details?id=com.truecaller 

Wtf, P. just give me permissions wont have issues | Picar…. memegenerator.net. Retrieved 22 November 2016, from https://memegenerator.net/instance/36627508