When was the last time you checked what permissions your apps actually request? As a mobile pentester, I've learned that permissions are the first red flag that hints at what an app might be doing behind the scenes.

In this blog, I'll take you through five real Android apps — a heart monitor, an expense manager, a footsteps counter, a mobile game, and a video player — and show you how a few "normal-looking" permissions can open massive security and privacy holes

Let's see each app

Case 1: Heart Monitor App

None

Suspicious Permission Found:

android.permission.SET_DEBUG_APP

android.permission.BLUETOOTH_ADMIN

android.permission.WAKE_LOCK

🔍 Pentest Note: In a health-tracking app, SET_DEBUG_APP is a red flag — it suggests that debugging is enabled in production, which could lead to reverse engineering or data theft of sensitive biometric data.

Case 2: Expense Manager App

None

Suspicious Permissions:

android.permission.DUMP

android.permission.GET_ACCOUNTS

android.permission.USE_CREDENTIALS

🔍 Pentest Note: For a finance-related app, these permissions open the door to credential theft or session hijacking. Unless the app really needs deep Google integration, these should be flagged as high-risk.

Case 3: Footsteps Counter App

None

Suspicious Permission:

com.android.email.permission.READ_ATTACHMENT

🔍 Pentest Note: A fitness app asking for email attachment access is a huge privacy red flag. This could be a malicious SDK or hidden spyware harvesting files or credentials from your inbox.

Case 4: Game App

None

Suspicious Permission:

android.permission.MANAGE_ACCOUNTS

🔍 Pentest Note: For a casual game, this is overkill. It should never need account management access unless it's a platform-level system app. This may signal aggressive user tracking or authentication manipulation.

Case 5: Video Player App

None

Suspicious Permissions:

android.permission.READ_LOGS

android.permission.WRITE_SETTINGS

android.permission.SYSTEM_ALERT_WINDOW

android.permission.SEND_SMS

android.permission.CALL_PHONE

🔍 Pentest Note: For a video player, these permissions are deeply suspicious — especially SEND_SMS and CALL_PHONE. This combination is a classic hallmark of malware masquerading as a media app.

Let's automate the process to look for permissions via Mobsf and Bevigil as below

Mobsf :

None

Bevigil :

None

Before reporting any suspicious permissions in a mobile security assessment, it's important to know the purpose of the app and its proper use case for end users. Because sometimes the client wants those permissions for their business requirements.

Below are some suspicious or bad permissions that u can check in your mobile assessments

High-Risk / Dangerous Permissions

android.permission.READ_LOGS
android.permission.SYSTEM_ALERT_WINDOW
android.permission.BIND_ACCESSIBILITY_SERVICE
android.permission.CALL_PHONE
android.permission.SEND_SMS
android.permission.RECEIVE_SMS
android.permission.READ_SMS
android.permission.READ_CONTACTS
android.permission.WRITE_CONTACTS
android.permission.READ_CALL_LOG
android.permission.WRITE_CALL_LOG
android.permission.PROCESS_OUTGOING_CALLS
android.permission.RECORD_AUDIO
android.permission.CAMERA
android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
android.permission.PACKAGE_USAGE_STATS
android.permission.MANAGE_EXTERNAL_STORAGE
android.permission.WRITE_SETTINGS
android.permission.REQUEST_INSTALL_PACKAGES
android.permission.REBOOT
android.permission.FORCE_STOP_PACKAGES
android.permission.CHANGE_WIFI_STATE
android.permission.BLUETOOTH_ADMIN
android.permission.ACCESS_NOTIFICATION_POLICY
android.permission.READ_PHONE_STATE
android.permission.MODIFY_PHONE_STATE

Over-Privileged Permissions

android.permission.RECEIVE_BOOT_COMPLETED
android.permission.WAKE_LOCK
android.permission.GET_ACCOUNTS
android.permission.USE_CREDENTIALS
android.permission.NFC
android.permission.INSTALL_PACKAGES
android.permission.SET_WALLPAPER
android.permission.CHANGE_NETWORK_STATE
android.permission.BROADCAST_STICKY
android.permission.KILL_BACKGROUND_PROCESSES
android.permission.REORDER_TASKS
android.permission.GET_TASKS
android.permission.EXPAND_STATUS_BAR
android.permission.DISABLE_KEYGUARD

Abused Hardware Features

android.hardware.telephony
android.hardware.camera
android.hardware.camera.front
android.hardware.microphone
android.hardware.bluetooth
android.hardware.bluetooth_le
android.hardware.location
android.hardware.location.gps
android.hardware.location.network
android.hardware.nfc
android.hardware.wifi
android.hardware.usb.host
android.hardware.usb.accessory
android.hardware.sensor.accelerometer
android.hardware.sensor.gyroscope
android.hardware.touchscreen
android.hardware.fingerprint
android.hardware.biometrics.face

Do check this site for all the Android permissions with their descriptions

Do clap if u like this and follow, subscribe for new upcoming blogs via mail on Medium.

Connect with me over LinkedIn