14 comments

[ 3.4 ms ] story [ 40.2 ms ] thread
How did WhatsApp receive an A rating when it can access your mic and camera to record without confirmation?
they actually just rate whether the App permissions match the users expectations.
Because users expect an application used for sending audio snippets use the microphone.
Considering the functionality that wasn't reviewed, I don't think it should be advertised as "A".

It might be "A" for the expected permissions, but if there's extra permissions which haven't been investigated, these should be marked down until explained. This would encourage app owners to work with whoever maintains the database to get accurate ratings. If Whatsapp is an A today, there's no incentive for the developers to justify / assist with anything unexplained permissions remaining.

In it's current state, if it's awarding A scores while significant permissions are unexplained, it doesn't help the end user.

(comment deleted)
Facebook gets an A? All the egregious permissions say "Not analyzed yet". In cases where permissions aren't analyzed the grade should at least be marked as tentative / incomplete.
If trust is earned then they should all be graded 'D' until shown otherwise.
Anything that can read my contacts should automatically be a 'D' in my opinion. Take pictures and access the internet - that's a 'D' too. I know this site is measuring the difference to people's expectations, but privacy needs to be re-framed once you have an out of control government in the mix.
Given your username I find it a bit ironic that you're talking about "an out of control government" :-)
Seems to be based on 'does this app have an apparently plausible reason for requesting the permission?' but nothing beyond that. Some app might introduce some incidental feature that requires access to browsing history, that doesn't justify giving it that permission.

Anyway, it's an impressive website, good to see new work being done in this area. Access to smartphone data is a wild west at the moment.

Is this Android only?
I don't see any information about how information is communicated between my phone and the app's servers. To me, that's a pretty big privacy concern. If Pulse, for instance, is connected to my LinkedIn account, are my credentials for authenticating with the app being sent over plaintext?

I suppose the above is more of a "security" concern than a "privacy" concern, but I think they are ultimately one and the same.