The Data That Needs No Permission At All

Mobile metadata is the technical exhaust your phone produces just by running — separate from your messages, photos, or location history.

A specific category of it requires zero permission popup, on both Android and iOS: your device's advertising ID (GAID on Android), battery level, device model, screen brightness and resolution, timezone, general network type, and standard motion-sensor readings from the accelerometer and gyroscope.

None of this triggers a runtime prompt. There's nothing for you to allow or deny — it's collected the moment an app starts running, through standard system APIs every app has access to by default.

The Data That Does Need Permission — But You Already Gave It

Here's where the last version of this piece got it wrong, and it's worth correcting properly: scanning nearby WiFi networks and Bluetooth devices, and reading your list of installed apps, do require permission on current Android versions.

WiFi scanning needs either the NEARBY_WIFI_DEVICES permission on Android 13 and above, or location access on older versions. Bluetooth device scanning needs BLUETOOTH_SCAN, a runtime permission introduced in Android 12.

The catch is what that permission prompt actually says. It reads "Nearby devices" or "Location" — never "this app wants to fingerprint your device." Most people tap allow because the app claims it needs WiFi access to "find devices to connect to," not realizing the same access builds a tracking profile.

Why Scattered Data Points Become Dangerous Together

One data point in isolation is useless. Your battery is at 61%. So what.

But combine battery level, screen resolution, timezone, sensor calibration, GAID, and a handful of nearby WiFi networks, and you get something close to a unique signature — precise enough to identify one specific phone out of millions.

This technique is called device fingerprinting. It doesn't need your name, your phone number, or a login. It just needs enough small, "non-sensitive" signals stacked together.

That's what makes it more durable than a cookie. Clear your browser, reset your GAID, use a different app — the fingerprint often survives, because it's built from hardware and configuration details that don't change.

Where This Shows Up In India's Lending Apps

Digital lending apps in India have leaned on exactly this stack. RBI's Digital Lending Directions require lenders to collect only data necessary for the loan — but device metadata sits in a grey zone, because it isn't classified as personal data collection in the way contacts or SMS access is.

A behavioural score built from device signals — how often you switch networks, what apps sit on your phone, how your device is configured — can shape loan eligibility before you've filled a single field. There's no single regulation in India today that specifically addresses metadata-based profiling in lending, which is part of why it goes largely unchallenged.

Your Photos Carry Metadata Too

Separate from app-level collection: every photo your phone takes stores EXIF data — GPS coordinates, device model, exact timestamp — inside the image file itself.

Most social platforms strip this automatically on upload. Direct shares often don't. A photo forwarded on WhatsApp, or posted to a resale marketplace, can carry its original location data intact.

What You Can Actually Do

Reset your advertising ID periodically — Settings → Privacy → Ads on both Android and iOS. It won't stop metadata collection, but it breaks the link between your old fingerprint and your new one.

Check which apps actually have Nearby Devices or Location permission under Settings → Apps → Permissions, and revoke it for anything that doesn't have an obvious reason to need it.

Turn off geotagging in your camera settings before it becomes a photo you regret sharing.

The permissions screen was never the full picture of what your phone gives away. Some of the most identifying data doesn't need your permission at all — and the data that does, you probably granted without knowing what it was really for.