The Starbucks app lets you buy a venti, no-whip Coconut Mocha without ever touching your wallet. It works as a virtual punchcard, keeping track of how close you are to a free drink (which you snag after every twelfth one). Plus, it gives you coupon codes.
In exchange, it requests some personal information from you, namely: who you are, where you are, and who you're calling and texting. Oh, and also it wants the ability to "modify or delete the contents of your USB storage," according to the permissions details on the app's page in the Google Play store. Wait. What?
Starbucks is far from the only app that requires this degree of access: Dunkin Donuts, Chipotle, Domino's, and Taco Bell all request similar data, just to name a few. But its widespread use only underscores just how much we rely on apps in our day-to-day lives. In Starbucks' earnings call last week, the company reported that mobile payments account for 20 percent of all in-store transactions in the US, according toFortune. And, given recent news that scammers have been logging into the app and using the 'auto-reload' function to and drain money from people's bank accounts, it's worth asking: How much information are you giving away, how easy is it to access, and how much do these food apps really need to know?
"We put a lot of inherent trust in our phones, because they're always by our sides, so we're quick to say 'okay' to permissions without really thinking them through," says Domingo Guerra, president and co-founder of Appthority, an app risk management company. Paying close attention to what you download is especially important for anyone who uses their phone for work—Appthority found that more than 80 percent of mobile apps have access to corporate data.
When asked about permissions, a Starbucks spokesperson wrote via email: "The Starbucks mobile app follows industry standard practices for app permissions that are established by Apple and Google." All apps have a privacy policy that provides details on what information is being collected, but the best thing you can do, Guerra says, is to determine what, if anything, an app would need to access before you click 'okay.' Even that can be tricky, though: The requests are worded differently on iPhones and Android-based phones, which makes interpreting the rules even more challenging.
Here's a primer on understanding what these apps want from you—and what the terms actually mean:
They Want To Access Your Contacts.
This feature is used for any app with a social element, reports Android Central. An app that offers a digital gift card might ask to access your contacts when you use the app to send it to someone. You know when you start typing an email and the full address pops up? It's 'reading' your contacts to suggest the email you're looking for.
It also means that an app could use your contacts to build its own email database—or email your friends (or boss) inviting them to download the app, too, Guerra says. "Before accepting the permission, ask yourself: If you were at a store checkout and the cashier asked for your parents', your brother's and your best friend's email addresses, would you give it to him?" he explains.
They Want To Send and View Your Texts.
This request, found on the Dunkin' Donuts app's permissions, is a necessary disclaimer whenever an app uses text messages. If you create a Dunkin' gift card using the app, you can send it to yourself or someone else via text message. The app then needs to be able to pull up your text messages, open a new draft, and insert the link—including a short message explaining what the link is.
This request is typically broken up into two categories: A request to send messages, and a request to view SMS archives. 'Viewing archives' means an app could see any text messages stored on your phone, Guerra explains, and if someone hacked into the app, he or she could use that access to read—and leak—your entire history of texts.
They Want To See Exactly Where You Are.
You'll probably find this request on most restaurant or store apps, since many have a "find a store nearest you" function. In order to suggest a shop, they need to know your location, and the easiest way to do so is using your phone's GPS or mobile network.
"When it comes to accessing your location, there are three types of permission you can give: Never have access, only while the app is in use, or always on, which means you're being tracked 24/7," Guerra says. "'Only when the app's in use' makes sense for most apps," he says—a feature that could actually be helpful if you're lost and jonesing for a latte.
They Want to Look At All The Data You're Storing.
Apps would like the ability to read, modify, or delete the contents of your USB storage, which essentially means the "app can access files or data stored on your device," including your photos and videos, according to Google. That sounds scary, though in many cases, it just means the app wants to store some of its own data on the phone's SD card so it can load faster, Guerra explains.
Still, if you have something private you wouldn't want anyone else to be able to see, it's worth moving the file elsewhere—or denying access to the app altogether, just to play it safe, he says.
They Want Access To Your Camera.
This request sparked an entire thread on Reddit, as users tried to figure out just why, exactly, Taco Bell would need to use your photo capabilities. The most likely case? It will use your camera if you choose the option to customize a digital gift card with your own image, redditors reasoned, which a Taco Bell spokesperson confirmed via email.
They Want You To Run The App All Day and Night.
This means exactly what you think it means. Even when you're not using the app, it's still active. "Apps are increasingly trying to run in the background, because they're collecting information about us," Guerra says. "It's not always maliciously; sometimes, it's just so an app can work better, or so that it can send you a coupon when you're passing by the store."
An app knowing what you're doing where not only feels majorly Big Brother-ish, it can also drain your battery faster. iPhone users can turn this permission off by pulling up System Services, selecting Privacy and Location Services, and adjusting the settings from there, Guerra says. Meanwhile, this tutorial from Android Pit shows Android users how to kill any apps running in the background on their phones.
Protect Yourself...
iPhone users can simply click "don't allow" as each request pops up. The tradeoff is that you may not be able to use certain portions of the app. You can find a tutorial about adjusting your permissions on How-To Geek.
For Android users downloading apps from the Google Play store, you have to accept all permissions upon installing or updating the app—for now. This fall, when a new version of Android is released, users will receive permissions requests as they're required: You won't have to choose whether an app can access your text messages, for example, until you use the messaging feature on the app. And, should you have a change of heart after granting permission, you'll be able to adjust your settings at any time, Google spokesperson Liz Markman wrote via email.
Google hopes that adding context to each permissions request will also make it easier to understand how the data the app needs is being used.
Until then, Guerra suggests that Android users look at an app's reviews before downloading it—focusing on the bad ones, which can provide insights into whether the app has gotten a little too close for comfort.
"As you read the permissions, imagine being asked for that information at a store. If you'd say no, don't agree to it with your phone," he says.
Follow Delish on Instagram.
