Lesson 20 of 25 beginner

App Permissions Audit: What You Should Revoke

Take back control of what apps can access on your phone

Open interactive version (quiz + challenge)

Real-world analogy

App permissions are like giving out keys to your house. When you install a flashlight app and it asks for access to your contacts, camera, microphone, and location — that is like a plumber asking for keys to your bedroom, your car, and your diary. They only need access to the pipes! Most people hand out these 'keys' without thinking, and forget they ever did. A permissions audit is like going through all your spare keys and taking back the ones you should never have given out.

What is it?

An app permissions audit is the process of reviewing and revoking unnecessary permissions that apps have on your phone. Every Android app can request access to sensitive features like your camera, microphone, location, contacts, and files. Many apps request far more permissions than they actually need — either due to lazy development or intentional data collection. Auditing permissions means checking each app's access, revoking what is unnecessary, and applying the 'least privilege principle' so apps only have the minimum access needed to function.

Real-world relevance

Sofia downloaded a popular photo editing app that requested camera, microphone, contacts, location, phone, and storage permissions. She granted everything without reading. Months later, she noticed unusual targeted ads matching conversations she had at home. Using DeviceGPT, she discovered the photo app had microphone access and had been running background processes. She revoked all permissions except camera and storage — the only ones the app actually needed. The app continued working perfectly. She then audited her entire phone and found 12 apps with microphone access, 18 with location access, and 8 with contacts access that did not need any of it.

Key points

The Dangerous Permissions — Android groups permissions by danger level. 'Normal' permissions (like internet access) are granted automatically. But 'dangerous' permissions require your approval because they access personal data. The most sensitive are: Camera, Microphone, Location, Contacts, Phone, SMS, Storage, and Body Sensors. A 2024 study found the average Android user has granted 75+ dangerous permissions across all their apps.
Which Apps Have What Access — You can see every permission granted to every app on your phone right now. Most people are shocked when they check. That game you downloaded 2 years ago? It might still have camera and microphone access. The weather app? It might be tracking your location 24/7. A 2023 study found that 45% of flashlight apps requested location data they absolutely did not need.
The Least Privilege Principle — In security, the 'least privilege principle' means giving only the minimum access needed to function. A calculator needs zero special permissions. A camera app needs camera access but not your contacts. A maps app needs location but not your microphone. If an app stops working after revoking a permission, you can always grant it back — but most apps work fine without permissions they should not have had.
Location Permission: The Big Three Options — Android gives you fine-grained control over location access. 'While using the app' is the safest for most apps — Maps gets your location only when it is open. 'All the time' should be reserved for very few apps (like Find My Device). 'Precise vs Approximate' is another key choice — a weather app only needs your city, not your exact street address.
Background Activity: The Silent Data Thief — Some apps run in the background and continue accessing permissions even when you are not using them. A 2024 report found that the average Android phone has 30-40 apps running background processes at any given time. Background location tracking is the most concerning — some apps collect your location hundreds of times per day without you ever opening them.
Clipboard Access: The Hidden Risk — When you copy a password or credit card number, it sits on your clipboard. Android 12+ shows a notification when an app reads your clipboard, but older versions do not. Some apps were caught reading clipboard contents every few seconds — including passwords, addresses, and private messages you copied. TikTok was famously caught doing this in 2020.
Nearby Devices & Bluetooth Permissions — Android 12+ introduced the 'Nearby Devices' permission. Apps that request Bluetooth access can scan for and connect to nearby devices — which can reveal your location, the devices you own, and even your daily patterns. A Bluetooth beacon at a store entrance can track how often you visit. Only grant Nearby Devices permission to apps that genuinely need to connect to other devices.
Permission Groups Explained — Android organizes permissions into groups. Granting one permission in a group used to grant all permissions in that group. Modern Android versions are more granular, but it is still important to understand groups. For example, the Phone group includes making calls, reading call logs, and reading your phone number. Granting 'Phone' access may give more access than you expect.
How to Do a Full Permission Audit — A permission audit means reviewing every app's permissions and revoking what is unnecessary. Start with the most sensitive permissions (camera, microphone, location) and check which apps have access. Then go app by app for your most-used apps and review all their permissions. Do this once a month — it takes about 5 minutes after the first time.

Code example

╔══════════════════════════════════════╗
║   🔐 APP PERMISSION AUDIT GUIDE 🔐  ║
╠══════════════════════════════════════╣
║                                      ║
║  PHASE 1: CRITICAL PERMISSIONS       ║
║  Settings → Privacy → Permission Mgr ║
║                                      ║
║  □ Camera: _____ apps have access    ║
║    Keep for: Camera, video call apps ║
║    Revoke from: Everything else      ║
║                                      ║
║  □ Microphone: _____ apps            ║
║    Keep for: Voice/video call apps   ║
║    Revoke from: Everything else      ║
║                                      ║
║  □ Location: _____ apps              ║
║    'All the time': Minimize this!    ║
║    Switch most to: While Using       ║
║    Switch to: Approximate (not exact)║
║                                      ║
║  PHASE 2: HIGH RISK PERMISSIONS      ║
║  □ Contacts: _____ apps              ║
║    Need: Phone, messaging apps       ║
║    Revoke: Games, utilities, etc.    ║
║                                      ║
║  □ Phone: _____ apps                 ║
║    Need: Phone/dialer apps only      ║
║                                      ║
║  □ SMS: _____ apps                   ║
║    Need: Messaging, 2FA apps only    ║
║                                      ║
║  □ Storage/Files: _____ apps         ║
║    Need: File managers, editors      ║
║    Revoke: Apps that don't save files║
║                                      ║
║  PHASE 3: CLEANUP                    ║
║  □ Enable auto-revoke for all apps   ║
║  □ Delete apps you haven't used      ║
║    in 3+ months                      ║
║  □ Run DeviceGPT permission scan     ║
║  □ Set monthly reminder to re-audit  ║
║                                      ║
║  TOTAL PERMISSIONS REVOKED: _____    ║
╚══════════════════════════════════════╝

Line-by-line walkthrough

1. The audit guide is split into three phases by priority. Phase 1 handles the most dangerous permissions — camera, microphone, and location — because these directly enable surveillance and tracking.
2. For each permission category, the guide asks you to count how many apps have access. This counting step is intentionally eye-opening — most people are shocked to find 15+ apps with location access when only 3-4 actually need it.
3. The 'Keep for / Revoke from' guidance applies the least privilege principle practically. Instead of memorizing rules, you just ask: does a flashlight need my contacts? Does a game need my microphone? If the answer is no, revoke.
4. Phase 2 covers permissions that are less immediately alarming but still sensitive. Contacts access lets apps upload your entire address book. Phone access lets apps see your call history. Storage access lets apps read all your files.
5. Phase 3's auto-revoke feature is the best set-and-forget security tool in Android. Once enabled, apps you forget about automatically lose their permissions — no monthly audit needed for abandoned apps.

Spot the bug

I did a permissions audit and revoked
everything from all my apps.

Now my camera app can't take photos,
my maps app doesn't know my location,
and my phone app can't make calls.

I went too far. But I'm scared to
give permissions back because of
privacy. What should I do?

Need a hint?

Think about the 'least privilege principle' — it is about minimum NEEDED access, not zero access.

Show answer

The least privilege principle means giving the minimum access needed, not zero access. Your camera app genuinely needs camera and storage permissions — that is its core function. Maps needs location (set to 'While Using' and 'Approximate'). Your phone app needs Phone permission to make calls. The key is granting ONLY what each app needs for its core function and nothing extra. Go back and grant essential permissions to essential apps, but keep the unnecessary ones revoked. A camera app needs camera access — that is not surveillance, that is the app doing its job.

Explain like I'm 5

Imagine every app on your phone is a person who comes to your house. When you install the app, they knock on the door and ask 'Can I use your camera? Can I listen to your conversations? Can I look through your address book? Can I follow you everywhere you go?' Most people just say 'yes yes yes' to make the asking stop. But you would never let a real person do all that in your house! A permissions audit is going through your house and saying 'Wait, why does the pizza delivery guy have a key to my bedroom? Why is the mailman looking through my photo albums?' Take back those keys!

Fun fact

In 2024, researchers at a university tested 1,000 popular Android apps and found that 71% requested at least one permission they did not need to function. The worst offender was a simple calculator app that requested access to the camera, microphone, contacts, location, SMS, and phone call logs — all completely unnecessary for adding numbers. When confronted, the developer admitted the permissions were used to collect data sold to advertising companies, earning more money from data than from the app itself.

Hands-on challenge

Open Settings → Privacy → Permission Manager right now. Check these three categories: Camera, Microphone, and Location. Write down how many apps have access to each. Now go through each list and revoke access from any app that does not genuinely need it. A good rule: if you cannot explain in one sentence WHY that app needs that permission, revoke it. Count how many permissions you revoked total — most people revoke 10-20 on their first audit! Share your number.

More resources

Android App Permissions Explained (Google)
How to Manage App Permissions (Wired)
Android Permissions Deep Dive (YouTube)

Open interactive version (quiz + challenge) ← Back to course: Android Phone Health