How to Audit App Permissions on Your Phone

People say they value privacy on their phones. They also grant camera access to a QR code scanner, microphone access to a wallpaper app, and full contact list access to a game about stacking blocks. Both things are true at the same time, and the contradiction explains a lot about why app permissions are such a mess.

The average Indian smartphone has somewhere between 40 and 80 apps installed. A study from late 2025 — conducted by a mobile security firm that analysed permission data from about 100,000 Indian Android devices — found that the average device had granted over 200 individual permissions across all installed apps. Two hundred open doors into different parts of your digital life, most of them opened without a second thought because an app asked and you tapped "Allow" to make the popup go away.

Permissions are the access control system for your phone's most sensitive hardware and data: camera, microphone, contacts, location, call logs, SMS messages, photos, files. Each one you grant gives an app the ability to access that resource, usually whenever it wants, sometimes even when you're not using the app. A permission audit is the process of reviewing what you've granted, asking whether each permission makes sense, and revoking the ones that don't. It takes about 15 minutes. It's one of the most impactful things you can do for your privacy. Almost nobody does it.

Android: Where to Start

Android has gotten significantly better at permission management over the last few versions, and most of the tools you need are built right into the operating system. The problem isn't that the tools don't exist — it's that they're buried in settings menus that most people never visit.

If you're running Android 12 or newer (which, as of early 2026, covers most phones sold in the last three years), start with the Privacy Dashboard. Open Settings, go to Privacy (or Privacy & Security, depending on your phone's skin), and look for Privacy Dashboard. It shows you a timeline of which apps accessed your camera, microphone, and location in the last 24 hours. The first time you look at this, you'll probably be surprised. Apps access these sensors more often than you'd expect, and some of them do it in the background when you're not actively using them. I checked mine a few months ago and found that a weather app was accessing my location 47 times in a single day. A weather app. It needed my location once — to show me the forecast for my city. Forty-seven times is not weather forecasting; that's surveillance.

After the dashboard, go to Permission Manager. It's usually under Settings, then Privacy, then Permission Manager. This screen groups all permissions by type — Camera, Contacts, Location, Microphone, Phone, SMS, Storage, and several others. Tap into each category and you'll see a list of every app that has access, divided into "Allowed all the time," "Allowed only while in use," "Ask every time," and "Not allowed."

Go through each category. For each app, ask yourself: does this app need this permission to do what I use it for? A maps app needs location. A camera app needs camera access. A messaging app might legitimately need microphone access for voice messages. But a food delivery app doesn't need your contacts. A news reader doesn't need your microphone. A fitness app doesn't need access to your SMS messages. If a permission doesn't match the app's function, revoke it. Tap the app, change the setting to "Don't allow," and move on.

For location specifically, the "Allowed all the time" setting should be reserved for very few apps — perhaps your maps app or a ride-hailing app, if you want it to track your location for safety during rides. Everything else should be set to "Allow only while using the app" at most. Many apps that request location don't actually need it to function; they want it for ad targeting. A shopping app can show you products without knowing your GPS coordinates. Deny it and see if the app still works. In most cases, it will.

Storage and file access is another category worth examining carefully. On older Android versions, granting storage permission gave an app access to everything on your phone's storage — photos, downloads, documents, other apps' files. Android 11 and later introduced "scoped storage" that limits apps to their own files by default, but many apps still request broad storage access through the MANAGE_EXTERNAL_STORAGE permission. If a note-taking app or a music player is asking for access to all files on your device, that's excessive. It should only need access to its own data folder. Check what's there and deny anything that seems out of proportion to the app's function.

Android also has an auto-revoke feature that's been around since Android 11. If you haven't used an app in a few months, Android automatically revokes its permissions. You can check whether this is enabled for each app by going to App Info (long-press the app icon, tap the info button), then Permissions, and looking for the toggle that says something like "Remove permissions if app isn't used" or "Pause app activity if unused." Make sure it's on for everything. There's no downside — if you open the app again later, it'll just ask for permissions again.

One more thing on Android. Since Android 12, you'll see small green indicators in the status bar when an app is actively using your camera or microphone. If you see those indicators light up unexpectedly — when you're not on a call, not taking a photo, not using any app that should need those sensors — that's worth investigating. Swipe down on the indicator to see which app is responsible.

iOS: A Different Approach, Similar Process

Apple has structured permissions differently from Android, and in some ways it's easier to audit. Go to Settings, then Privacy & Security. You'll see a list of permission categories: Location Services, Tracking, Contacts, Photos, Microphone, Camera, and many more. Tap into each one to see which apps have access and what level of access they've been granted.

The Tracking toggle is probably the single most impactful privacy setting on any iOS device. It's under Settings, Privacy & Security, Tracking. There's a master toggle: "Allow Apps to Request to Track." Turn this off immediately if you haven't already. With it off, apps can't even ask you for permission to track you across other apps and websites. Apple introduced this with iOS 14.5 in 2021, and it caused a well-documented panic in the advertising industry — Meta reportedly lost over $10 billion in ad revenue in the first year after it launched. That reaction tells you how much data cross-app tracking was generating. Turn it off.

For Photos, iOS gives you a nice middle ground that Android doesn't: "Limited Access." Instead of giving an app full access to your entire photo library (every photo you've ever taken), you can select specific photos to share. The app only sees those photos. Everything else remains invisible to it. Use this for apps that need photo access but don't need to see everything — shopping apps where you upload product photos, for example, or social media apps where you selectively post images.

Location Services on iOS follows the same principle as Android: "While Using the App" is the right setting for most apps. "Always" should be reserved for navigation and maybe one or two other apps that genuinely need background location. The "Precise Location" toggle is another useful control — you can give an app your approximate location (within several kilometres) instead of your exact GPS coordinates. Weather apps, news apps, and most services that claim to need your location for "local content" work fine with approximate location. They don't need to know your exact building.

The Red Flags

There are certain permission patterns that should make you suspicious. They don't necessarily mean an app is malicious, but they indicate that an app is collecting more data than its function requires, which is either sloppy development or deliberate over-collection. Probably the latter.

SMS permission on any app that isn't an SMS client is a red flag. In India, this is particularly common in loan apps, some fintech apps, and various utility apps. SMS access lets an app read all your text messages, including OTPs from your bank, personal conversations, and transactional alerts. Some apps claim they need it to "auto-read OTPs" for convenience. That's a legitimate use case, but Android 13 introduced a narrower permission for just that — apps can request access to read only the OTP from a specific SMS, without gaining access to your entire message history. If an app still wants full SMS permission, it's worth questioning why.

Contact list access on apps that have no messaging or calling function is another flag. A game doesn't need your contacts. A file manager doesn't need your contacts. What they want is to upload your contact list to their servers — names, phone numbers, email addresses — for marketing purposes or to sell to data brokers. Some apps use contact data to identify your social network and target ads at your friends and family. This practice was widespread enough that the Indian government considered specific regulations around it as part of the DPDPA rules.

Call log access is similar. Very few apps need to know who you called, when, and for how long. If a non-communication app requests this, there's almost certainly an ulterior motive.

Camera or microphone access on apps with no photo, video, or audio function should absolutely raise questions and get your attention. A calculator app requesting camera access. A flashlight app requesting microphone access. These are real examples from the Play Store, and while some might be explained by poorly scoped permission requests from lazy developers, others are deliberate attempts to collect data through your phone's sensors.

Apps that flat-out refuse to work unless you grant all requested permissions are the worst offenders by far and get your attention. If a photo editing app won't open unless you give it location access, that tells you something about the developer's priorities. A well-designed app degrades gracefully when permissions are denied — it functions normally and simply disables the feature that requires the missing permission. An app that holds its functionality hostage until you hand over every permission it asks for is treating your data as the price of admission.

The Apps You Forgot About

The apps you use daily aren't the biggest permission risk. You're aware of them. You have some sense of what they do. The risk comes from the apps you installed six months ago and forgot about. The QR scanner you downloaded for one event. The random game your nephew installed when he borrowed your phone during a family gathering. The app for that restaurant loyalty programme you never went back to. The video editing app you tried once and never opened again.

These zombie apps still have their permissions. They can still access whatever you gave them access to. Some of them are still running background processes, still phoning home with telemetry, still syncing data you didn't know they were collecting. If you haven't used an app in a month and don't plan to, uninstall it. Not "disable" — uninstall. Removing the app removes its permissions, its background processes, and its ability to collect data. It also frees up storage, which is a practical bonus on the 64 GB and 128 GB phones that dominate the Indian market.

Go through your app drawer right now. Scroll slowly. You'll find apps you don't recognise, apps you've completely forgotten about, apps you used once two years ago. Each one is a small liability. Delete the ones you don't need. It takes five minutes and your phone will be measurably more private afterward.

Pre-Installed Apps: The Permissions You Never Granted

There's a category of apps that deserves special mention because they circumvent the permission model entirely: pre-installed apps, also called bloatware. When you buy a Samsung phone, it comes with Samsung's apps. A Xiaomi phone comes with Mi apps. A Realme phone comes with Realme's apps plus whatever promotional apps they've bundled in partnership deals. These apps are installed before you ever touch the device, and many of them come with permissions already granted — permissions you never saw a popup for and never approved.

On Xiaomi devices, which are among the most popular budget phones in India, the pre-installed apps have been documented sending telemetry data to servers in China, including device usage patterns, app installation data, and browsing history from the built-in Mi Browser. This isn't speculation — it was documented by a security researcher in a widely cited paper, and Xiaomi acknowledged some of the findings while disputing others. Samsung's pre-installed apps are less aggressive but still collect telemetry that you might not want collected.

You can't always uninstall pre-installed apps — the system won't let you because they're baked into the firmware. What you can do is disable them. Go to Settings, then Apps, find the pre-installed app, and hit "Disable." A disabled app can't run, can't access your data, and can't use permissions. It still takes up a small amount of storage space, but it's functionally dead. Do this for every pre-installed app you don't use. On a Xiaomi phone, that might include GetApps, Mi Browser, Mi Video, ShareMe, and several others. On Samsung, it could include Bixby, Samsung Internet, Samsung Global Goals, and any carrier-bundled apps.

If you're more technically inclined, you can remove pre-installed apps entirely using ADB (Android Debug Bridge) from a computer. The command adb shell pm uninstall -k --user 0 [package.name] removes the app for your user account without rooting the phone. There are lists online of safe-to-remove packages for every major phone brand. It's a bit involved, but it gives you a cleaner phone with fewer background processes consuming battery and data.

Fifteen Minutes, Once a Month

Here's the commitment: set a recurring reminder on your phone. Once a month. Maybe the first Sunday. "Audit app permissions." It takes about fifteen minutes, sometimes less once you've done it a few times. Open the Privacy Dashboard, check what accessed your sensors recently, open the Permission Manager, review each category, revoke anything that looks wrong, and uninstall apps you no longer use. That's it. No software to install, no subscriptions to pay for, no technical knowledge beyond the ability to find your way around your phone's settings.

The difference between a phone that's been audited and one that hasn't is roughly the difference between a house where someone's checked which windows are open and one where nobody has looked since they moved in. The windows are still there either way. But in one case, the cold air has been coming in for years and you've just been living with it, paying the heating bill, never connecting the two. Closing the windows doesn't cost anything. You just have to notice they're open.