Religious apps with sinful permissions requests are more common than you think

Sometimes developers of religious apps take the edict to be "fishers of men" too far, and sometimes the faithful put their faith in the wrong apps. As public focus on the security of apps on the Google Play Store intensifies following years of data leaks, adware infections, security scandals and malware contagions, little coverage has been devoted to one of the most commonly exploited types of Android app: those aimed at believers. 

Religious apps have long been dangerous, malware-laden territory. A widely profiled 2015 white paper from security research firm Proofpoint analyzed more than 5,600 unique Bible apps for Android and iOS. Proofpoint categorized 140 Google Play Store apps as "high risk" over suspicious behavior and flagged 208 apps for malicious code. The firm went so far as to say it had found more malware in Bible apps than even gambling apps. 

Proofpoint's study wasn't restricted solely to Christian-audience software, either. Of the 4,500 Quran apps it analyzed, 16 contained malware and 38 were classified "high risk." Only two of the 200 Torah apps available at the time contained malware.

Despite these findings, Proofpoint did not share the names of any of the malware-laden apps at the time, telling several media outlets it was negotiating with the apps' developers. But things have been quiet on the religious app front since then. A spokesperson for Proofpoint confirmed that the firm has not since released the names of the offending apps covered in the 2015 study.

Security issues with many religious apps -- and apps in general, for that matter -- start with permissions. "Normal" permissions are usually granted by Android -- these let apps stay awake during use or get online when you tell them to. But "dangerous" permissions ask for sensitive data that, if mishandled, could easily compromise your privacy . 

Some permissions that could be considered dangerous may not put you in harm's way -- like when a book-reading app asks permission to save a book to your phone so you can read it offline. But sometimes these dangerous permissions include unnecessary requests for more information than needed. Those red flags alert you to an app's overall security: That book-reading app doesn't need to read your list of phone calls, pinpoint your exact location or change your system settings in order to function, does it?

Read more: 7 Android VPN apps you should never use because of their privacy sins

Most security researchers express a general rule of thumb: The fewer permissions an app requests, the better. For the faithful, a similar note of guidance might be found in Proverbs 20:19: "A gossip betrays a confidence; so avoid anyone who talks too much."

These six popular apps aimed at a Christian audience talk to your phone far more than is necessary, potentially eliciting sensitive information. Here's what you need to know before letting them onto your Android phone.

King James Bible apps

Little appears to have changed since the Proofpoint study emerged and Bible apps in the Play Store started coming under scrutiny. When you search for "Bible" in the Play Store, four of the top five search results request dangerous permissions from users. 

King James Bible (KJV) from Salem New Media (a freemium app) has accumulated more than 10 million installs and a rap sheet from Privacy International, which discovered the app sending user data to Facebook in March after claiming it had stopped. The app is still available on the Play Store, and still makes egregious requests of users' data. 

New Salem Media wants the app to begin running as soon as your phone powers on (instead of when you open the app). Then it wants to know what other apps you have on your phone, what they're doing now and in the past, who you've been calling and how often, and your precise location. The company also tracks your activity and gives advertisers access to you, according to its own privacy policy. 

With more than 5 million installs, the most popular free Bible app, according to the Play Store, is King James Bible (KJV) from iDailybread.org. 

It asks for many of the same permissions as New Salem Media. It also wants permission to create new accounts (of what kind? it doesn't say), set passwords and change your settings to allow it to update whenever it wants. It also asks for permission to throw itself on top of other apps you're using -- giving it the power to change the appearance of your other apps or serve pop-up ads -- and to start running as soon as you turn your phone on. 

The 99 Android apps maintained by Watchdis Prayers -- including its King James Bible app -- go even further: The King James Bible app wants permission to do all of the same things the above Bible apps want to do, and then it wants to control near-field communications -- the system used by Android Pay . 

If you've installed any apps maintained by Watchdis Prayers, we strongly recommend uninstalling them and updating your passwords for any social media or email accounts you use on your phone -- at least until you know what this company is doing with such a massive amount of personal data and access to your digital wallet. 

Watchdis Prayers' only available contact information is a Gmail account purportedly manned in the Netherlands. It has no current privacy policy on its website, and offers no further information about who's running the show. A cached version of the company's site indicates it had a privacy policy last month, but it reads almost as cryptically as the blank page that replaced it.  

None of the three companies above responded to requests for comment. 

YouVersion Bible

YouVersion Bible is notorious for privacy violations and dangerous data collection. Yet, here it is: still seated firmly in the Play Store, racking up over 100 million installs with a whopping 22 permission requests. 

When Slate wrote about it back in 2013, the app's creator said that YouVersion collected so much data even Google took notice and sent its own engineers to help parent company LifeChurch.tv "sort out how to store and analyze the flow."

Today, the app asks for all of your contacts' information and your precise GPS location. Then it asks for not only the information for any accounts you have for other apps on your phone, but the ability to use the accounts on your device. Like many others in this list, YouVersion wants to start running as soon as your phone turns on, instead of waiting until you open the app.  

The app's creator, Bobby Gruenewald, told Slate all that data collection "is used to improve the experience of the app, with the aim of helping people globally to engage with the Bible."

I think you should find a more secure app to engage with the Good Word.

But following this article's publication, Gruenewald reached out to CNET to make a compelling case for YouVersion, and offered an update on how things have been developing since 2013. He said YouVersion has not only pared down its data collection, but actively aims to reduce it further.

He said he and his team now want a third-party privacy audit.

"It's horrifying to me personally that any user would feel like we violated their privacy," he said. "We view their experiences with the Bible as sacred."

As Android app permissions have been narrowed through the years, YouVersion's data collection practices have aggressively followed suit, Gruenewald said. He also said YouVersion has worked hard to never store user data that doesn't specifically help the app function.

YouVersion had no choice but to request broad permissions like those requesting call log access in order to get the more narrow part of that permission, which would allow the app, for instance, to silence its audio when a user receives a phone call, Gruenewald said. The company has never implemented the use of the data, he added.

"We've actually worked with Google and others to make sure that we're always refining best practices and wanting where possible to remove, if possible anything that wasn't necessary," he said. "I do this as an ongoing process."

Despite being regularly approached by third parties through the years who beg for a slice of YouVersion's anonymized data, Gruenewald said his company is a ministry that refuses to follow the business models of other free Bible apps who either monetize user data or share it.

"There are definitely some bad actors out there … and some of them have been extremely egregious and have made their app look like our app, and we've had to go through the court system," he said. 

"Because of that, we want to do our best to be the gold standard."

In an app market crowded with data exploiters, YouVersion's ambition to establish the gold standard is a welcome one. And if it follows through with that audit, I'll be the first to sing its praises.

Christian Broadcasting Network

Famous for its 700 Club programming and its controversial host Pat Robertson, the Christian Broadcasting Network maintains 11 Android apps for download in the Google Play Store. The largest purveyor of the apps surveyed here, CBN also maintains one of the most detailed privacy policies we've seen. We don't like what it's doing with your data, but we do like that it explains its usage in three readily accessible pages with layman-friendly language. 

Permission requests vary among each of CBN's 11 apps, but three ask for enough information to warrant sober concern. 

CBN Radio presents itself as an app that just wants to broadcast your favorite Christian music. But there are enough requests in its permission list to present a case for avoiding the app altogether. It wants to know your precise location, and what kinds of phone calls you're making and to whom and how often. It wants to be able to take pictures and video. And why does a radio streaming app need to begin running as soon as you turn on your phone? It doesn't. 

The myCBN Prayer & Devotional App has even more red flags. With more than 100,000 installs on the Play Store, the app wants to know everything CBN Radio knows, plus it wants to control your flashlight, turn your Bluetooth settings on and off (a notable security concern), get a full list of all your contacts and any accounts on your phone, take control of your camera and microphone, and control your location update notifications. 

The most concerning security issue with CBN apps may be that found in the permission requests of its children's app, Superbook Kids Bible, Videos & Games. It's generally not a good idea to allow an app to disable your lock screen, nor to start running as soon as your phone is turned on. But giving a kids' app permission to take photos and videos of your child, as this one does -- even as part of a feature allowing kids to upload their own pictures -- after you've allowed it to disable your lock screen may be a bridge too far. 

Even if you trust CBN with access to your intimate information, data breaches have become a near-monthly reality for competitively secure companies. You can request CBN delete your data, according to its policy, but once your data is copied into the hands of CBN's many third-party contractors, and their third-party contractors, there's no way to unring the bell. 

We would love to know why CBN needs this much access and control to provide seemingly simple services, and whether it has a plan in place in the event of a serious hack. CBN declined to be interviewed for this story, however. 

Christian Mingle and Christian Matrimony

Well-known dating app Christian Mingle has more than half a million installs on the Play Store, and was hit with a $500,000 fine in October of 2018 for automatically renewing subscriptions without users' express consent. It requests an overwhelming 23 permissions from its users, including some particularly curious ones. 

Why does a dating app want to disable your lock screen, then get a full list of all the apps on your phone and your history of usage for each? Why does Christian Mingle need to know your precise location, when you're making a phone call, who you're talking to, and how often you talk to them? Most curiously, why does Christian Mingle need to control your flashlight?

The lesser-known Christian Matrimony app, from CommunityMatrimony.com, likewise raises questions. With more than 100,000 installs, the app wants to change your audio settings and get a list of all the apps you've already installed on your phone. Then, like Christian Mingle, it wants to find out who you're making phone calls to. It goes beyond Christian Mingle, however, and asks for permission to directly call phone numbers. 

Representatives for both Christian Mingle and Christian Matrimony said they'd have someone call us back. So far that hasn't happened. 

Cold Case Christianity

The Cold Case Christianity app is a promotional tool for the writing of public speaker J. Warner Wallace, with more than 10,000 installs on the Play Store. Once given permission, it can read your personal contact list, find out who you've been calling and how often, and record your audio and change your audio settings. It can also take a peek at your pictures. 

The most intrusive permissions allow the app to look at your personal calendar and confidential information, then create or change events on your calendar and email guests to those events (your friends, coworkers and anyone else in your contacts) without your knowledge. 

Apps generally shouldn't do this. If they do, you should be able to find out what that app is doing with your information. But in the case of Cold Case Christianity, the website now redirects to the white-label commercial site Buildfire, and the privacy policy is likewise gone, last seen in 2017.

Wallace's only contact information appears to be his booking agent, Matt Croaker, who returned our call. 

"I don't think he'll be interested in commenting," Croaker said of Wallace. 

Bible Verses App 

The Bible Verses App from SpringTech has been classified by a number of credible virus-watching companies as a browser hijacker, and infects your browser with spyware-packing trojans. It takes over your browser and forces you to redirect to its fake search engine, then it tracks all of your browsing activity and prevents you from changing any browser settings until it's removed. 

Parent development company SpringTech no longer appears to have any contact information on the web. Get this extension and any related files off of your computer as soon as you can. Then change the passwords to all of your online accounts. 

To this end, PC Risk has a reliable walk-through on how to uninstall the Bible Verses App.

Watch this: Loads of Android apps are skirting privacy controls

01:12

Originally published Oct. 2.
Update, Oct. 3: Adds comment from Bobby Gruenewald.