69% of all Google Play Store apps requested at least one “dangerous permission” (H1 2021)
58% of all Google Play Store apps requested permission to Write External Storage (H1 2021)
30% of all Google Play Store apps requested access to the device’s fine location (H1 2021)
There is a rise of apps requesting additional access to the restricted data that may contain potentially sensitive information. Overall, 2.34 million Google Play Store apps requested at least one “dangerous permission” in the first half of 2021. This number increased by 3% YoY.
However, it is essential to remember that not all apps use potentially dangerous permissions to exploit user’s data. Instead, Pixalate is merely rendering an opinion that these facts may be suggestive of heightened risks to data subjects.
Common 'dangerous permissions' among Google Play Store apps
Nevertheless, most of the Google Play Store apps had at least one “dangerous permission.” The most common potentially nefarious permission was Writing External Storage. It allows an app to read, upload, or delete personal files stored on the user’s device, which may contain sensitive information. 1.96 million (58%) Google Play Store apps had this permission.
Another notorious permission was access to the device’s Fine Location. It gives the app the ability to pinpoint user location down to specific latitude & longitude (GPS) coordinates. This data can be so accurate that it allows the app to identify your house. Over 1 million (30%) Google Play Store apps had the ability to do so.
Camera Access increasingly common
Other common potentially dangerous permissions are Access Camera and Read Phone State. The first allows the app to record video and/or take photographs from the phone’s built-in camera. The number of apps requesting access to the camera increased YoY by 13%.
Read Phone State permission allows the app to see the user’s phone number, current cell network information, the status of any outgoing calls, etc. It was requested by over 628,000 (19%) of Google Play Store apps in H1 2021. Interestingly, it is the only dangerous permission studied that became less common compared to H1 2020. Overall, the number of apps requesting Read Phone State permission dropped by 6% YoY.
You can also watch our webinar on October 7, 2021, we will review this data - and other data about risk factors in the mobile in-app ecosystem — in greater detail.
The content of this report reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that, opinions, which means that they are neither facts nor guarantees. It is important to also note that the mere fact that an app receives “dangerous permissions” (as defined by Google) does not necessarily mean that such app, or its publisher, is actually exploiting data. Instead, Pixalate is merely rendering an opinion that these facts may be suggestive of heightened risks to data subjects. Pixalate is sharing this data not to impugn the standing or reputation of any entity, person or app, but, instead, to report facts as they pertain to apps in the Google Play Store. Android and Google Play are trademarks of Google LLC. “Android robot” by Google LLC is licensed under CC BY 3.0.
Disclaimer: The content of this page reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC,
“'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other
legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC,
“‘Invalid Traffic’ is defined generally as traffic
that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts.
Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”