Do you recall the drama and panic about Facebook Messenger permissions requiring excessive access to devices? And after the FTC hammered on “Brightest Flashlight Free” for sharing app users’ location and device ID with third-parties and advertisers, without users’ knowledge, it started a flashlight app panic. Sometimes the required access wasn’t evil, but some did pose privacy risks. Overall, app permissions are wildly misunderstood.
If app permissions seem overreaching by asking for too much access, then I pass on that app. But people with IoT home automation devices such as WeMo can't pass on the app. For that reason, we’re drilling down into WeMo app permissions, based solely on WeMo and not what more can be done by connecting a WeMo device with IFTTT. I reached out via email to Belkin engineers to find out what WeMo’s permissions really mean.
Belkin home automation WeMo products include a light switch, WeMo Insight Switch, WeMo switch, WeMo switch and motion, NetCams and smart LED bulbs. Through partnerships with Crock Pot, Mr. Coffee, Holmes and Osram, Wemo also has home automation and smart device products such as a crockpot, coffeemaker, humidifier, air purifier and heaters.
One of setups for rules includes “away mode,” which is a security feature that allows a person to “schedule the lights to turn off and on at random intervals, making it appear that someone is home even when the house is vacant.” Other rules allow people to use sunset, sunrise or other specific times to turn devices off and on, as well as use motion as a trigger. The app allows for notifications if a device is triggered by motion or by sensing power. Remote access is handy for turning on a light or other device from any location. Still, none of the rules or remote access indicated to me the need to access location, camera, microphone, USB storage, contacts or call logs.
Belkin offers an iOS WeMo app and WeMo app for Android. Android app permissions are a mess, and Google “simplifying” how permissions work by grouping them did not help the situation. Because of the way Google Play groups and displays permissions, I’ve copied, cut and collected them into the image below.
Let’s start with location. The WeMo location permission gives access “to approximate location (network-based)” and to “precise location (GPS and network-based).” Since none of the WeMo products utilize geofencing, so that they turn on or turn off based on the GPS distance from the home, then why does the WeMo app need access to location information? It turns out that there is nothing creepy about it. For example, “WeMo utilizes that info to enable automatic sunrise/sunset programming. It's based on zip code - hence the need to input location.”
Belkin engineers added: Location – We do not actively use or store all of the location information that the permission triggers, and are looking into to seeing if it is part of a larger class of permissions that we may be able to remove. However, we do use some of the information to enable sunrise/sunset rules.
Building out the code for these IoT devices is pretty complicated and often there are reasons for including permissions that may not be obvious on the surface, but are necessary on the backend to create the level of superior user experience that we strive for with WeMo. Developers tend to use all of the tools at their disposal when creating the app and it may include some permissions that are not explicitly used in the current version of the app, but are road mapped for future feature upgrades or advances.
Under Contacts/Calendar, the WeMo app requires access to “read your contacts.” What do my contacts have to do with controlling my WeMo devices?
Sometimes we don’t need full access to a permission’s data, but even access to a very minor portion of it results in the full permission being triggered. For example, accessing the contacts are only needed for a very small subset of people who haven’t named their device. We do this so that we don’t have to force an extra step for the user doing set-up, which we believe would hamper the overall user experience. And still other times we are required by the various operating systems to obtain certain permissions so that the devices work with the app properly, even if we don’t specifically use any of the data, such as the case with Google Cloud Messaging.
Belkin engineers further explained: Contacts/Calendar – Used if there is no device name, Bluetooth profile name or owner’s name to display the name from your contacts (under “me”) on the remote access view. We only have a read access, not a write access for this as well.
The permissions that fall under the heading of Camera/Microphone include granting the WeMo app access to “take pictures and videos.” Why in the world would a switch need the ability to tap into my phone’s camera to take pictures or microphone to take videos?
Belkin engineers: Camera/Microphone -- In iOS the camera is used for users to take photos and customize the icons for their WeMo devices. This feature is under development for Android, so some of the code is already in production, hence the permission. The Camera/Mic permission is not separable.
The permissions that fall under the heading of Phone include “read call log.” What have my previous phone calls got to do with the WeMo line of home automation products?
Belkin engineers: Read Call Log – We do not use a specific permission for “Read Call Log” but we do use a generic permission “Read_Phone_State” so that the app’s network manager can identify it as a smart device. We only have read access to this and not write access.
Under Photos/Media/Files, the WeMo app wants permissions to “modify or delete the contents of your USB storage” and to “test access to protected storage.” Why would WeMo need those? Like the other questionable permissions, if there is no need to ask for those permissions, then why do it?
Belkin engineers: Photos/Media/Files and USB Storage – We are using local storage to cache discovery information and speed up device discovery so that set-up and use is more seamless.
Identity permissions; Device ID and Call Information; Device and App History – These are required for cloud to device messaging and used so that Google Cloud Messaging works properly. It’s required to verify if the user synced a Google account because they require a phone to be registered with GCM in order to receive push notifications. The Android Developer site has some more specifics on these types of permissions and you can see them here: https://developer.android.com/google/gcm/client.html under “edit your application’s manifest”.
“Other” Permissions including receive data from Internet – These three items help us triage the network connection state to provide the right feedback to the user. Information used by the WeMo app from these permissions includes:
- Access network state: used to identify network and connection type (3g, 4g, no network, etc.)
- Access Wi-Fi State: required for Wi-Fi connectivity within the app.
- Internet: allows the app to access the Internet. For example, if we don’t check that there is a valid network connection, the HTTP requests will fail.
IOT coding is complicated and the permissions were confusing, but now the app’s required access no longer seems sinister. Hopefully by the engineers drilling down into WeMo permissions, it helps you understand the whys too.