Smartphone App Permissions: Ever Cared to Find out which ones to give or deny?


Those are verification codes. The PIN can only be changed at an ATM or at a branch.

They never send it to you.


It is beginning to feel like most apps are not simply developed for end user functionality but as a medium to collect more user data. We are in the age of big data and as annoying as it is, I think companies are stepping over every hurdle, even privacy, to get edge-y data about the market. Otherwise why would a loan app want call log permissions? I remember we have had a discussion on Tala and Branch and Opera cash and the ridiculous data they need access to.


Its not just the verification pin(OTP request). They also send the m-banking pin via SMS. I have those texts.
Edit: screenshot. 20180426_072548


I block almost all permissions for the file sharing app Xender ever since I caught it using almost 20 MB of data every day even when I had not opened it.


Wow, this is actually happening when you reset your PIN on the app.

It would make sense to just display the pin on the app for a few seconds after verifying your details.


I think unless otherwise disputed the app lock apps work very well to deny access to SMSs even for granted permissions, like for example yesterday I was reinstalling the equity app and there is a step where it requires to actually read an authentication text in your inbox, I got an error to remove the app lock protection for my SMS same with Mledger.


Or prompt you to change it once you login in the first time.


By the way you can’t change the PIN on equity app, you have to stick to whatever they send on SMS


You can. I just did it.

Open the sidebar then click on the padlock icon at the bottom.

You should see an option to change the PIN.


The answer to this is yes but it is a problem with SMS in general. SMS is not a secure means of sending information. SMS in unencrypted, meaning they are stored as is even on Telco servers. So as you’re busy getting worried which app has access to your texts, don’t forget that telcos also have the same access. At least on your phone you can delete the texts but one your text goes through a telco’s server, it is there to stay!


Just to clarify SMS as a component of the GSM standard is encrypted by default with the caveat that the A5 stream cipher is weak by design.

SMS is still unsuitable for secure communications but the real world threat is government interception and rogue third parties.

The way packet switching works, attempting something like this would quickly degrade the network nevermind the additional expense on equipment and how illegal this would be. Metadata logs are stored at the base station level but those are flushed around every 1-3 months.


The telcos keep your SMSs for even 6 months. Its a really small footprint for them data wise. Also, why they are retrieved for prosecution so easily.


Lol. Telcos only store metadata (sender number, recepient, date and time). At least in Kenya when the cops require that data the court order explicitly covers the base station under which the SMS was sent.

1 SMS is roughly 140 bytes. According to the press, Kenyans sent 28 billion texts in 2015. Some quick math says that is about 40 Terabytes worth of data annually.

Unless Safaricom are quietly involved in the data mining game then I don’t see how your bold claim holds any water.

Two points, electronic gadgets are seized during investigations and SMS spoofing is trivially easy. Even if the telcos had the content of texts stored somewhere, that evidence would not stand in any court.


well @mister_roboto I really like your optimism. Lets agree to disagree on this one. Anything that goes through their servers is ripe for storage. Even if they don’t keep it for long its stored before delivery of the message. I would bet a months earnings that its allowed somewhere in the fine print of the terms and conditions.


Don’t confuse facts with opinions. First of all this would be illegal and against the constitutional right to privacy. Secondly the cost of equipment and increased network load would make such a system highly illogical.

Easy money, when do I collect the cheque? See my first point above.


You cannot claim facts without providing sources. Until you do, your claims are still personal opinions.

I do not know anything about this but my research shows a lot of telcos from Europe keep SMS metadata for at least 12 months.

The actual SMS contents are stored for ~1 week.

European countries are among the strictest when it comes to Data Protection laws.

In the US, call logs and SMS metadata can be stored for years.

I HIGHLY doubt Kenya has better data protection laws. I tried to read the Data Protection act but couldn’t find anything useful on this.

Any sources confirming your claim?

From your estimate above, 40TB worth of stored data is nothing. It would still be nothing if it was monthly and not annually.

Storage is very very cheap.

The current system already stores text messages for a few days before they are erased completely. This is a FACT.

How will transferring already existing text messages from a temporary storage to a more permanent storage bog down the network?


The irony in this statement. Lol!

It is an illegality under the Information and Communications Act for a telecommunications provider to intercept messages. Additionally the bill of rights in the constitution explicitly states that every Kenyan a right to privacy of their communications.

Storage is cheap, I agree. But databases and data processing on that large a scale are not.

Do you understand how cellular networks work?

SMS Service Centers use store and forward when transmitting text messages. Once the message is sent or times out, it is purged from the system.

On your second “fact” sending and storing every message on the network in a central location is such a terrible idea. The service provider would run the risk of broadcast storms and degraded network performance.


I don’t know about storage of texts and the likes. What I can tell you is that around 2008, NSIS installed microwave links from Safaricom house, Essar and Orange straight to their headquarters. As for the kind of data they intended to collect, no idea.


Information in the public domain¹ claims that NIS and military intelligence operate IMSI catchers in anti-terror operations. But I think that’s beyond the scope of this friendly discussion.

  1. Track, Capture, Kill: Inside Communications Surveillance and Counterterrorism in Kenya


Good point. Here are my sources:

There were a bit more but these ones offered a decent amount of information for both US and UK telcos.


Also, why are you flip flopping? Sasa imekuwa about intercepting messages and not data retention.

Nope. 40TB worth of data is nothing. You are greatly underestimating the amount of computing power we have access to today.

This is something you can do at home.

A few guys on Reddit have been archiving Instagram and intend on creating a searchable database. Something like Google’s image reverse search. Last time I checked, they were at 600TB.

I have seen people try to test the limits of the various databases with terabytes of data.

See, I am not saying it is happening now but telcos have the capabilities to store the contents of each and every message.

The technology already exists and would be very cheap to implement.

The texts are already stored somewhere temporarily before they are forwarded to the recipients. They could easily make a copy and store it somewhere permanent.

The permanent data would be processed away from the network in a data center somewhere. How will this degrade the network performance?

They already store the text messages temporarily. There won’t be any extra overhead.

Decentralizing such a system would still be easy to implement.