ED: for more about app permissions, read our article on Facebook Messenger.
A startup called Snoopwall has created a firestorm of controversy over a number of popular Android flashlight apps. Their claims are pretty strong:
All of the applications below appear to obtain access and information way beyond the needs of a Flashlight. Some appear specifically designed to collect and expose your personal information to cybercriminals or other nation states. – http://www.snoopwall.com/threat-reports-10-01-2014/
They list the top 10 flashlight apps from October (view the current list on Google Play) and cite all as malware based on their permissions. Snoopwall does have a point–some of these apps do have extensive permissions. And there was a real FTC case where one flashlight app maker settled out of court. The charges were that they harvested extensive data and shared it with advertising partners, without proper documentation to users. So as with any other app you install, make sure you note what permissions are needed, and only install apps from developers you trust. Free apps can generate a fortune in ad revenue, especially if detailed user data is available–and this is definitely a real privacy concern.
But Snoopwall isn’t telling the whole truth about a few things–they’ve got facts mixed up, exaggerate and claim unproven hypotheses. As of writing, Snoopwall hasn’t backed up many of their claims–like flashlight apps transmitting data to foreign governments or installing Trojans. Here are the biggest issues:
Super-Bright LED Flashlight is mis-represented. Currently the #1 flashlight app on Google Play, this program is on Snoopwall’s list, but they apparently list the permissions from a different app instead, ‘Super-Bright LED Flashlight HD‘. While the real app by Surpax Technology, Inc. only uses a few permissions (like camera/flash and internet access–very reasonable), the HD – tagged version by Mobile Apps, Inc.–not a top 10 contender–has a much more extensive permissions list, which better matches Snoopwall’s table. To view permissions for any of these apps yourself, scroll down to “Additional Information” on the app’s Google Play page, and click “View Details” under the “Permissions” heading. In fact, I use the Surpax Technology app myself, and have no reason to believe it spies on me in any way.
[Flashlight apps are] specifically designed to expose information to cybercriminals or nation states. If Snoopwall has information about data actually being shared with cybercriminals or foreign governments, they’re not sharing it with us. At best, I’d guess they have tracked data to IP addresses hosted in the countries mentioned, but that doesn’t mean data is being shared with criminals or espionage groups. Saying so is just speculation and fear-mongering.
Snoopwall’s “Privacy App” flags flashlight apps just for being flashlight apps. My low-risk, few permissions flashlight app gets flagged in Snoopwall’s privacy app just because it’s a flashlight program, even though it uses essentially the same permissions as Snoopwall’s own flashlight app (which incidentally, is classified “low risk”). This is circular reasoning–flashlight apps are risky because they’re flashlight apps. Their logic is great for building public interest, but not for building a real case.
In conclusion, I’m hesitant to believe any claims Snoopwall makes because of the carelessness they take with data. However, if you’d like to review permissions assigned to each app on your phone, Snoopwall’s “Privacy App” is a fairly good program. And their ad-free flashlight app is every bit as bright as the “Super-Bright LED Flashlight”. But I think I’ll personally stick with “Super-Bright” for now.