App Permissions Audit Guide: What Your Apps Really Access

Every app on your phone requests permissions to access device capabilities: camera, microphone, contacts, location, photos, files, call logs, and more. Many apps request far more permissions than they need, collecting data for advertising, analytics, and resale to data brokers. A 2023 study found that the average Android app requests 11 permissions, and 60 percent of those permissions have no clear connection to the app’s core functionality.

Understanding Permission Categories

Location. “Precise location” provides GPS-level accuracy (within meters). “Approximate location” provides city-level accuracy. Background location access allows tracking even when the app is not open. A weather app needs approximate location; a flashlight app needs no location access at all.

Camera and microphone. These permissions allow an app to capture photos, video, and audio. A video calling app needs camera and microphone access. A calculator does not. Be especially cautious of background camera and microphone access.

Contacts. Access to your contacts list exposes names, phone numbers, email addresses, and potentially physical addresses of everyone in your address book. Social media apps request this for “friend suggestions,” but the data is also used to build social graph profiles.

Storage and photos. File access allows reading, modifying, and deleting files on your device. Photo library access exposes your entire photo collection, including metadata (location, date, time) embedded in each image.

Phone and SMS. Call log access reveals who you communicate with and when. SMS access allows reading, sending, and intercepting text messages, which is how some malware steals 2FA codes.

How to Audit

iOS: Settings > Privacy & Security. Each category (Location Services, Contacts, Camera, etc.) shows which apps have access. Review each category and revoke access for apps that do not need it. Set location permissions to “While Using” rather than “Always” wherever possible.

Android: Settings > Privacy > Permission Manager (or Apps > Permissions depending on version). Each permission category shows which apps have access. Android 12+ shows a privacy dashboard with a timeline of permission usage.

Practical Guidelines

Apply the newspaper test. If you would not want a news article written about an app accessing that data about you, revoke the permission.

Review after installation. Before using a new app, review its requested permissions and deny any that are not essential to core functionality. Most apps function fine with reduced permissions.

Audit quarterly. Set a reminder to review permissions every three months. Apps you installed six months ago may have added new permission requests through updates.

Delete unused apps. An uninstalled app cannot collect data. Every app on your phone is an active or potential data collection point.

For protecting your mobile device comprehensively, see our mobile device security checklist. To understand how collected data feeds the tracking ecosystem, explore our cookies and tracking guide.

Automating Permission Management

Both iOS and Android now provide automated permission management features. iOS 15+ automatically revokes permissions for apps you have not used recently. Android 11+ does the same, removing permissions from unused apps. These features are helpful but not sufficient; they do not address apps you use regularly that have excessive permissions.

Third-party privacy audit tools like Exodus Privacy (for Android, available at exodus-privacy.eu.org) analyze installed apps and report on embedded trackers and permissions, providing a more detailed view than the operating system’s built-in settings. For iOS, the App Privacy Report (Settings > Privacy & Security > App Privacy Report) shows which apps have accessed sensors and data, and which domains they have contacted, providing concrete evidence of app behavior.

Use these tools and reports to make informed decisions about which apps to keep, which to restrict, and which to replace with more privacy-respecting alternatives.