The issue described is excessive or inappropriate application permission granting in a BYOD environment. Employees install apps that request access to sensitive device resources—contacts, camera, messaging—despite those permissions not being necessary for the app’s stated purpose. This creates a risk of data harvesting and corporate information leakage if a malicious or overly intrusive app is installed. The most direct guideline to prevent this behavior is to review the permissions requested by apps before installing them.

Mobile operating systems rely heavily on permission models to control access to sensitive data and device capabilities. When users approve broad permissions without scrutiny, they effectively authorize the app to collect and transmit sensitive information. Enforcing a culture and policy of checking permissions (and denying or uninstalling apps that request unnecessary access) directly addresses the root cause in the scenario: user consent enabling excessive privilege at the app level. In a corporate BYOD program, this guideline is often paired with mobile security controls such as enterprise app stores, allowlists/denylists, MDM/MAM policies, and user awareness training, but the question asks for the most direct preventive guideline.

Why the other options are less direct:

Encryption at rest (A) helps protect stored data if the device is lost or compromised, but it does not stop an authorized app from accessing data via granted permissions.

Automatic locking/biometrics (B) reduces unauthorized physical access, but it does not constrain what a permitted app can access while the device is in use.

App passwords (D) can help restrict casual access to an app, but they do not solve the problem of an app legitimately being granted invasive permissions.

Therefore, the best answer is C. Review permissions requested by apps before installing them.