Privacy and app permissions audit

Spyware is the dramatic threat, but the everyday one is quieter: legitimate apps that request — and receive — access to your location, contacts, microphone, camera and files they have no real reason to use. A flashlight app that wants your contacts, a simple game that requests your location at all times, a "free" utility that reads your messages. Individually annoying; collectively, a serious erosion of your privacy. A permissions audit puts you back in control.

The permissions that matter most

Some permissions are far more sensitive than others. Pay closest attention to:

• Location — especially "allow all the time" rather than "while using". Few apps genuinely need background location.
• Microphone and camera — an app that can access these without an obvious reason can, in principle, listen or watch.
• Contacts — frequently harvested and sold; ask whether the app truly needs your address book.
• SMS and call logs — extremely sensitive; legitimate reasons are rare outside of messaging and dialer apps.
• Accessibility and device-admin — the most powerful of all, and the ones stalkerware abuses. Treat any request here with deep suspicion.
• Storage and "all files access" — broad file access can expose documents and photos.

How to audit on Android

Android offers a built-in Privacy Dashboard (Settings → Privacy → Permission manager) that groups apps by permission. Go category by category — Location, Camera, Microphone, Contacts, SMS — and for each, ask whether every listed app actually needs it. Revoke generously; you can always grant access again if an app genuinely stops working. Pay special attention to Special access → Device admin apps and Accessibility, where the most dangerous permissions live.

How to audit on iPhone

On iOS, go to Settings → Privacy & Security. Like Android, it is organised by category. Review Location Services (and switch apps from "Always" to "While Using" or "Never" where possible), then Microphone, Camera, Contacts and Photos. iOS also shows an App Privacy Report that reveals how often apps accessed sensitive data and which domains they contacted — a powerful way to catch an app phoning home more than it should.

Spotting an over-reaching app

Ask three questions about each permission an app holds:

1. Does its core function require this? A photo editor needs camera and photos; it does not need your contacts or location.
2. When does it use the access? "While using" is usually fine; "always" deserves scrutiny.
3. Where does the data go? An app that accesses sensitive data and then contacts many unfamiliar advertising or tracking domains is collecting more than it admits.

If an app fails these tests and you cannot find a good reason, revoke the permission or remove the app entirely.

When over-reach becomes spyware

The line between aggressive data collection and outright spyware is not always sharp. An app that secretly records audio, exfiltrates messages, or hides itself has crossed it. If a permissions audit turns up an app you cannot account for — particularly one with accessibility or device-admin rights — treat it as a potential threat and confirm it with our scanner. Our stalkerware detection guide covers what to do next.

Building privacy habits

Grant the minimum permission an app needs to do its job, prefer "while using" over "always", deny anything that feels excessive, and uninstall apps you no longer use. Combine a periodic permissions audit with network monitoring to see not just what apps can access, but where your data actually goes. Small, consistent choices add up to a dramatically smaller attack surface.