The Permissions Your Apps Are Quietly Hoarding
You download a flashlight app. It wants access to your contacts. You stare at the prompt for a second, feel the mild absurdity of it, and tap Allow anyway because you need the flashlight and the alternative is finding a lamp.
That shrug is the entire business model.
Not maliciously, necessarily. But the system is absolutely built around it.
The gap between what an app does and what it can see
Your phone holds a small universe of sensitive data: location history, microphone input, every contact you've ever saved, your camera roll, health metrics. The permission system is supposed to be the bouncer. An app asks, you decide, the OS enforces it.
The bouncer only checks ID at the door. It doesn't ask why you're there.
When a developer submits an app, they declare which permissions it will request. The app store review checks whether those permissions are technically plausible for an app of that category, not whether they're strictly necessary. A photo-editing app asking for camera access gets approved without a second look. That same app asking for your precise location also gets approved, because a developer can always argue they want to geotag images. A recipe app asking for microphone access: potentially approved, because voice search is a feature someone could build.
The declared reason doesn't have to be the actual use. That's the gap.
How the business model got baked into the code
Here's the part most guides skip entirely.
A significant slice of free apps don't make money from you directly. They make money from data brokers, ad networks, and analytics platforms that pay for behavioral profiles. Your location pinging every few minutes, cross-referenced with your contact list, cross-referenced with your browsing habits, builds a profile worth real money to advertisers. A single data point is nearly worthless. A few hundred million of them, stitched together, are a product.
The permission request isn't incidental to this model. It is the model.
Consider two developers building a free weather app. Developer A asks only for location, because that's all a weather app needs. Developer B integrates three third-party advertising SDKs (software development kits) that each quietly request contacts, device identifiers, and microphone access as part of their standard package. Developer B gets a bigger revenue share from their ad partners. Developer A gets nothing extra.
Guess which integration most indie developers choose when they're trying to keep the lights on.
Those SDKs are the real story. The app itself might be perfectly innocent code, but the SDKs bundled inside it, often from large ad-tech companies, carry their own permission appetites. The developer may not even scrutinize every line of what they've included. The SDK arrives like a tenant who quietly sublets to three other people you never agreed to house.
Why the app stores don't fix this
Apple and Google have both tightened their review processes, and it would be unfair to say they've done nothing. Apple introduced approximate location sharing, letting users give an app a rough area rather than a precise coordinate. Google added one-time permissions. Both platforms now surface which permissions an app has accessed recently in settings rather than burying it.
Still, the core problem persists.
App stores review hundreds of thousands of submissions. Automated scanning catches obvious violations, like an app silently activating the microphone with no UI trigger. But nuanced abuse, an app that technically uses location data to serve ads but frames it as a feature, requires human judgment at a scale stores simply don't have. The review process was never designed to audit business models. It was designed to catch malware and broken code.
The catch: even when stores do act, enforcement is reactive. A bad actor gets caught, gets removed, resubmits under a different developer account. The incentives for the stores themselves are also complicated. A thriving app ecosystem, even a slightly predatory one, is good for platform revenue.
That's not a conspiracy. It's just a conflict of interest nobody has fully resolved, and pretending otherwise gives the stores too much credit for helplessness.
What people get wrong about permissions
The folk remedy that needs to die is the idea that you can spot a dangerous app by looking at its reviews. A five-star flashlight app with 200,000 reviews can still be harvesting your location for an ad broker. Users don't review apps for their data hygiene. They review them for whether the flashlight worked.
People also assume runtime permissions solved the problem. They helped. They didn't solve it. An app can ask for a permission at the exact moment you'd feel churlish denying it: a food delivery app asking for location right as you're placing an order. The timing of the request is a design choice, and it is often calculated.
And here's the wrinkle most people miss: permissions you grant once tend to stay granted. That game you downloaded eighteen months ago, played for a week, and forgot about? If you gave it microphone access back then and never revoked it, it still has it. On Android, you can audit this in Settings, Privacy, Permission Manager. On iOS, the equivalent lives in Settings, Privacy and Security.
Go look. Seriously. Found something unexpected? You almost certainly will.
The small habits that actually move the needle
You're not going to audit every SDK in every app you use. Nobody is. But a few concrete habits reduce your exposure significantly.
First, take each permission request at face value and ask one question: does this feature actually require this access? A barcode scanner asking for camera access, yes, obviously. A barcode scanner asking for contacts, no, full stop. Deny it. If the app breaks, that tells you something important about why it wanted the permission in the first place.
Second, use the "only while using the app" option whenever it appears for location. This single choice cuts off the background pinging that feeds most location-data brokers. A two-year-old navigation app set to "always" is quietly building a map of everywhere you've been. Changed to "while using", it just helps you get somewhere.
Third, do a permission audit twice a year. Ten minutes. Revoke anything without an obvious reason to exist.
The stores won't fix this comprehensively, because fixing it comprehensively would mean auditing the business models of the companies that pay to be on the platform. That's not cynicism. It's just the economics, stated plainly.
The permission pop-up was always meant to give you control. The surprising part is that it still can.