Skip to content
// OPERATOR LOG · ENTRY 701 · MISSION 07 · BRIEFING 01 OF 06 · EST 7 MIN

Mobile app permissions and side-loaded apps

Your phone is a sensor platform — and you decide who sees what#

A modern phone carries microphones, cameras, GPS, accelerometers, contacts, photos, health data, payment credentials, and your full message history. Every app you install asks for some subset of these. Most apps ask for more than they need.

The defensive habit is small: every six months, audit your app permissions, revoke anything you can't justify, and uninstall apps you no longer use.

The permission categories that matter most#

  • Microphone. Apps that don't need it should never have it. A calculator with mic access is suspicious.
  • Camera. Same logic. A flashlight app does not need your camera.
  • Location (precise vs approximate). Many apps work fine with approximate location or no location at all. Map apps need precise; weather apps need only the city.
  • Contacts. Sharing your contacts uploads everyone you know to that company's servers. Once you grant it, you can't take back what was uploaded.
  • Photos / media library. Some apps only need the picker (you choose what they see), not full library access. Modern iOS and Android let you grant access on a per-photo basis.
  • SMS / call logs. A genuine messaging app needs these. Most other categories don't.
  • Accessibility services (Android). The most dangerous category. An accessibility-service app can read everything on your screen and tap anywhere — exactly what a remote-control attacker would want. Grant only to known accessibility tools.
  • Notifications access. Lets an app read every notification, including OTP codes from your bank.

Where to audit#

  • iOS: Settings → Privacy & Security → individual category (Microphone, Camera, Location, Contacts...). Walk down each list and revoke anything you don't actively use.
  • Android: Settings → Privacy → Permission manager → individual category. Same drill.

Review takes about 10 minutes. Doing it once a quarter is enough.

Side-loaded apps (Android)#

Installing an APK from outside the Play Store bypasses the Play Protect scanning that most legitimate apps go through. Side-loaded apps are not inherently malicious — many open-source tools are distributed that way — but they are the dominant delivery channel for Android malware.

Never side-load apps from:

  • WhatsApp / Telegram forwards from strangers.
  • Mobile websites that pop up an APK download from search ad clicks.
  • Promised 'official versions' of apps that already exist on the Play Store.

If you do need to side-load (a legitimate open-source app, a banking app from a non-Play-Store country), verify the source signature against the developer's official site, and turn off 'install unknown apps' immediately after.

iOS sideloading (newer)#

In the EU, third-party app stores are now permitted on iOS. The same principle applies: known publisher, official source, otherwise treat as untrusted.