As a long term Android user and a mostly happy one at that, let me just say that Android's permissions are terrible and basically not fit for purpose.
I'm going to ignore third party solutions that require root, because those aren't part of the equation for 95%+ of Android users.
Android should have three levels of permissions: Implied (i.e. all apps get these), explicit (at installation), and prompted (user is asked at runtime).
- Implied ("freebies"): internet connectivity, store data, get a unique device ID (per app?), store the app's own accounts within the accounts API.
- Explicit (installation): Run in background, use GPS, use the camera, use the microphone, etc.
- Prompted ("personal information"/"cost you money"): Access your cellphone number, access your contact list, access your calendar, access your email, read/send texts, make calls, etc.
Users in the current Android ecosystem learn to ignore permissions pretty quick as most are for trivial stuff (e.g. internet access, store data on the SD card, store an account, etc).
Worse still a lot of users will skip apps that ask for too many permissions which is bad for both the app developer AND users. Most developers want to offer functionality (e.g. share to contacts) but don't want to do so at the cost of losing users ("Why is this asking to see my contact list?").
Android needs to drop a bunch of "silly" permissions that have no inherent cost to the user. They're clearly created by an engineer who just wanted to slap permissions on every kind of API for no good reason. It benefits nobody.
They then need to take permissions which have a cost (either literally or to user privacy) and set them up rationally so they're either something you get when installing OR something you'll be prompted for.
Lastly Android needs to add a description field to the permissions manifest where the developer can put in a short explanation for why they need permission XYZ. Limit it to 128 characters if you wish. The app store can display these.
I install less apps on Android largely because many ask for too many permissions. If Google makes it really easy for me to protect my personal information (e.g. prompts) I'll literally spend more money on their store because I'll feel more safe to do so. As a developer I'll also offer more functionality to my apps as there is no permission "cost."
This is great stuff. I kind of wish they would hire you to run this. Another idea I've had would be for the user to be able to install an app without giving it the perms it "requires" (perhaps by unchecking some boxes in the dialog). Then apps would be responsible for handling a "no you can't see the contact DB" API response. Or they could crash I guess. The point is that users could effectively renegotiate with apps, e.g. "yes I'd like to use NFC to pay, no I don't want you to be able to record everything that's going on around my phone".
Yes, No, and spoof. Otherwise far too many apps would just go "I won't work until you enable the settings I ask for" - and then we're right back at the current situation.
It is none of the app's business if the "camera" it sees is actually just an animated GIF (in essence).
It is none of the app's business if the "location" information it receives says, Mountain View, California. Wow! Look how many customers live in California. :-P
In short, the app should not even get the yes/no data from the user.
But at the same time, I have a feeling that there would be frameworks popping up all over the place for recognizing spoofed settings. Yes, you'd end up with the same thing with an explicit "no" option, but the segment of users choosing "spoof" would presumably be smaller, and as such presumably the gain of an app adding functionality to detect spoofing would be smaller.
Although I personally think that the best option is, given that Android has the app store, have it part of the verification process that unrelated functionality of an app must work when functions are disabled.
Yes, and Android's isn't the only app repo that could be doing more verification (reminds one of Windows Update and FTDI, no?). To be frank, however, adding additional required verification is a huge pain for everyone, so it's going to be rare.
To avoid the pain they could roll this out only to apps that declare themselves not to be assholes. I.e., an app could promise not to degrade ungracefully under limited perms, and in return it would never get spoofed data. (All other apps would get spoofed data whenever they access an API that a user had deselected.) If a non-asshole app were ever reported by a user and verified by Android devs to degrade in a user-hostile manner, it could just be placed in the asshole category permanently.
Agreed. When FB Messenger asks for my location, or my contact list, I just click "don't ask again" and "deny". And I get to ignore all the furor over the new Messenger permissions my friends are freaking out about.
meanwhile Google Play Services made the Cyanogenmod privacy setting useless.
Any app can mask it’s access to your location, contacts, microphone etc. by using the Google Play Service instead.
It’s all or nothing again.
Try setting the Google Play Services access to “ask each time” and be surprised how many apps that don’t need your location, contacts.. try to spy on you.
i completely agree. to avoid crashes the OS could return innocuous zeros, for example, the contacts has no entries, silence on the mic, zero for location, no connection on a network interface. To level the playing field, the vendor should be able to know i declined the request and not provide me the software, that's if their business model is based on advertising or data collection defeated by my choice.
Moreover, why not put a separate tab on the control center overlay that would display current permissions for running app as well as number of requests made that used that permission. If you drill in particular permission it could display history of requests for that particular API.
Having something like this would also allow for better audits. A separate app could show requests against a particular API by all apps as well as allow filtering. Other useful stats would be average number of requests per day per API per app and a graph of API calls by time of day. If nothing else this would allow to quickly identify rogue applications that make too many requests and drain battery.
On the topic of battery drain, I think that "allow to run in background" and "run as a service" would be a useful permissions as well. First one you would want to give to music players and to GPS applications, for additional control include time app allowed to run in the background before it is killed. Second permission would cover apps like IM and Facebook that are known to be tremendous battery hogs.
Totally agree with you here - Android's permissions model would be fine if only I could selectively refuse permissions to applications that ask for them, and have the application continue to operate but without the permissions I refused it. So that would mean my banking application wouldn't be able to take pictures of checks, if I refused it access to my camera, for example.
I can't find the reference right now, but that feature was present in beta versions of Android 4.3 (?) and removed because it broke certain existing apps.
I share the same feelings about overreaching app permissions. My solution would be similar, but deviate notably in that I'd prefer every app have a permissions menu where each permission can be toggled on/off. The permissions menu itself would only be enabled if Developer Options is enabled (via the 7 taps).
This would, of course, break certain actions within the app and would require disabling buttons in the app and/or displaying friendly errors about "This action requires access to your camera. See permissions etc...". Even then, people disabling permissions and 'breaking' the app by their own actions would probably generate some unjustifiably negative reviews on the Play store.
Not perfect, but a great way to reign in app permissions. My only control right now is to simply not install the app (or disable hardware like the radio when I run it).
I would argue that no permission should be "implied". For each example you list in that category, I can find an argument to not make it implied. For example: Many people are on plans with capped data per month and are therefore concerned about how much data an app uses. As such a user I would want to make sure apps like a flashlight app do not use internet connectivity at all. Likewise if you are concerned about privacy and want to know when an app connects to the internet and thereby automatically reveals your location, possibly usage pattern, etc.
> I would argue that no permission should be "implied". For each example you list in that category, I can find an argument to not make it implied.
I'm sure you can. But ultimately it is losing battle.
When you turn something which 99.99% of normal apps require into a "permission" it isn't really a permission at all. Just an obstruction which teaches the users permissions can be safely ignored (i.e. stupid permissions hurt good permissions).
If a user ONLY gets a permissions pop-up when it actually matters they're far more likely to take it seriously than if they get it every time and 9 times out of 10, it is just nonsense (e.g. Reddit app needs internet access, store accounts, SD card write, etc).
> Likewise if you are concerned about privacy and want to know when an app connects to the internet and thereby automatically reveals your location, possibly usage pattern, etc.
Without getting boringly into the intricacies of Android's underbelly, even without the "internet" permission (which is now standard with higher API levels anyway), you can connect to the internet through other APIs and inform a server that you exist.
Literally an app with zero permissions on Android can make API calls which let a server know they're installed at that IP address.
The internet permission was just a good example to throw into the set because Google already moved in the direction of effectively removing it. Now they just need to do more permissions in a similar vein.
> When you turn something which 99.99% of normal apps...
I think you are confusing your personal use case with everybody's use case. What's a "normal app" anyway? Did you mean to say "apps I use on a daily basis"? Because of the 17 apps on my home screen, 6 do not have a functional requirement for internet connectivity. I bet for users in emerging markets this ratio might be even higher.
> If a user ONLY gets a permissions pop-up when it actually matters...
For most people, spending money is something that actually matters. Again, just because you don't have metered data, doesn't mean everyone else is in the same situation.
> Just an obstruction which teaches the users permissions can be safely ignored
Google manages to sort millions of search results by relevancy, I'm sure they can do the same for app permissions.
> I think you are confusing your personal use case with everybody's use case.
But your "use case" isn't even really solved by permissions. It is solved by OS settings (e.g. turning off cellular data, using the data usage tracker/warning, etc).
> What's a "normal app" anyway? Did you mean to say "apps I use on a daily basis"?
No, I mean the majority of apps that exist already on the Play Store. Apps that require no data at all are the exception not the rule, apps that also don't use the accounts API, or store data to the SD card are exceedingly rare.
> I bet for users in emerging markets this ratio might be even higher.
Perhaps, but permissions don't solve this. If data isn't there then apps need to fall back to something else, that is up the developer to implement.
> For most people, spending money is something that actually matters. Again, just because you don't have metered data, doesn't mean everyone else is in the same situation.
Solved by the data usage tracker, not the internet permission.
> Google manages to sort millions of search results by relevancy, I'm sure they can do the same for app permissions.
They also manage to strip millions of search results of no relevance which is what they should do to permissions of no relevance.
> What's a "normal app" anyway? Did you mean to say "apps I use on a daily basis"? Because of the 17 apps on my home screen, 6 do not have a functional requirement for internet connectivity. I bet for users in emerging markets this ratio might be even higher.
It sounds like you're agreeing with the GP that a normal app (11 of the 17 most used, for you) needs internet access?
> Without getting boringly into the intricacies of Android's underbelly, even without the "internet" permission (which is now standard with higher API levels anyway), you can connect to the internet through other APIs and inform a server that you exist.
At the risk of boring someone else, any more info on this? Is this true for the later versions of Android? (4.2+)
I found something similar to what you describe but for 2.x (and then, a very visible "exploit" - i.e. opening the web browser)
Summary: More granular network permissions model, remove assumptions around specific link-layers that underpin existing mobile app security models, encourage additional link-layers.
You're blaming the wrong people - assuming those are good and valid features (and they are for some users), what do you expect Paypal to do? They can't send you a stripped down app with only some permissions but give me one where I can take a pic of my credit card.
Android needs to support granular permissions at runtime, then you can deny Paypal access to your microphone if it ever tries to run.
Apps can seemingly call external ones: for example, Google Authenticator hands QR code reading off to Barcode Reader, and thus doesn't require the permission for itself.
Having a PayPal "Till" app to augment the main one for microphone/QR users would be ideal, and not violate the permissions.
So there is some blame, though I agree: Android's permission model being fixed is more important.
I completely agree. This needs to be fixed in Android...
But I still find it annoying that I can't install the Paypal app without giving them a free wiretap in return. In my eyes, bloating an application out to a state where it needs all this stuff is almost as harmful because it puts users in situations where they're handing this access out without thinking.
Edit: I've pushed a pretty major edit to the post to give a bit more focus to Android but also to point out that Paypal could be a lot more responsible too. They could (for example) farm out all the privileged code to plugins and package them as separate apps. It's more of a pain for some users, less invasive for others.
I completely agree. This needs to be fixed in Android...
This is the primary reason I root my Android device and why I buy Nexus devices (I don't do Android development). XPrivacy and other apps allow you to revoke permissions individually, which is what Google should have baked into Android itself, without the need to root.
It was once supported in Android to do that but it was an masked feature. They quickly realized that most apps weren't made with fail over in place and they would simply crash so they removed it completely.
It's sad that they took that decision but what's done is done...
A lot of comments seem to be missing that the issue is less about permission granularity and more about pre-asking for any and all permissions that the app may use. Runtime permissions would solve the issue - using the camera? Ask the user. Then the user can decide to allow once or allow every time. Of course, you'd have exceptions for some common things - store data etc.
The current model is rather like giving a teenager a credit card and hoping they'll be responsible rather than giving them an allowance or having them ask you when they need money. The user has no clue how the permissions are being used after they're forced to allow during installation.
Seems the post is less about "why u need camera?", as the author gives reasonable explanations for the "why", but more about why aren't Android permissions more granular? I think the answer to that question is how often should the user be bothered to think about permissions? Android gets it all done up front, at the cost of it being "all or nothing". Apple let's you deny permissions at runtime, at the expense of bothering you each time the app wants to use (say) the camera.
None of which makes the post particularly front page worthy. "Why does $RANDOM_APP need to use my microphone?" Because Android permissions model, which has been rehashed to death; next question.
Just to clarify, the "at runtime" is a bit misleading. It doesn't mean every single time the app function in question is called. It's a toggle done once, and you won't be asked again unless you turn it back off manually.
Asking me if I need the camera, when the camera is to be used, and then being cleared to use it henceforth is my preferred operation. As I said above, it can always be turned back off if I change my mind.
Device fingerprinting is a big boon to fraud prevention. The more data sources that can help uniquely identify a device the better. I know some fraud prevention companies require merchants to include an image (png), javascript and flash file on the checkout pages to profile a customer. Flash can access your microphone, camera and local storage (flash cookies).
Fraud is a big deal for Paypal, although I'm do not know if such permissions are needed in device fingerprinting on apps.
Interestingly from a privacy point of view, more granular permissions to device features might not necessary equate to greater anonymity. If most device users do not care or know about the privacy implications and accept the app's permission request, those who don't accept become the minority.
The microphone is bundled with the camera within the permissions. That means they have to ask for permission to use both in order to have the camera for the feature you mentioned.
Indeed, the developer can only explain the permissions in the description.
Perhaps developers should be able to explain permissions in the application's manifest file (where permissions are defined).
Or, maybe there should be a method by which permissions are permanently granted (as it is today), and a method by which permissions are granted on a case by case basis, asking the user's permission. With this model, installing the app would only notify the permanent grants. I'm probably forgetting something here, but this seems like an ok compromise between all or nothing and not harassing the user for the general (non-malicious) case.
> Perhaps developers should be able to explain permissions in the application's manifest file (where permissions are defined).
That doesn't really solve the problem, though. The author of the post explains why, a description isn't needed. Of the Android apps I've installed that ask for more than I care to give, I can come up with reasonable explanations as to why they might need those permissions. But I just don't want to give them regardless of need, so I don't install the app.
If I had to take a guess they're using something like Phonegap/Cordova (i.e., this is a hybrid mobile app -- basically just a browser view with HTML content and JavaScript that can make use of the device's hardware and accounts). A common mistake I've seen is people using the stock Android manifest that comes with Phonegap/Cordova. This manifest enables ALL permissions so all the native functionality plugins "just work" out of the box. However, you're supposed to pare down the manifest to remove permissions for things you don't actually use so you don't end up in this situation.
This is PayPal, remember? The likelihood they're using PhoneGap is so low that I'm going to state it isn't, without Googling it. (gasp) Did you read the first article?
And indeed it isn't (got the latest com.paypal.android.p2pmobile from play store and checked). They do to have an HTML component to their app, a Tour guide found in assets/ ("Pay with PayPal in Stores!").
I'm the same person as above, btw. I have noprocrast on that account. It is working very well for me ;)
They have, however, authored a Cordova plugin for others to use the PayPal SDK easily from their PhoneGap apps [1]
This is a problem with android/ios or the app development process entirely. If permissions could be requested on demand within an app after installation, the the initial permissions sought won't be as intrusive. For PayPal, thier userbase is quite large, and because you don't use a feature, doesn't mean a million users elsewhere don't.
So, imo, the apps permission handling is to blame here
For a while, there was an Android app, App Ops, which let you turn off permissions for other apps.
Google took it out. They claimed it would cause "user confusion", when badly-written apps crashed trying to use some feature they were barred from using.
A good workaround to having to ask for too many permissions is for the app to explain the intent before the permission pops up. I find this offers a much better experience in general.
I'm going to ignore third party solutions that require root, because those aren't part of the equation for 95%+ of Android users.
Android should have three levels of permissions: Implied (i.e. all apps get these), explicit (at installation), and prompted (user is asked at runtime).
- Implied ("freebies"): internet connectivity, store data, get a unique device ID (per app?), store the app's own accounts within the accounts API.
- Explicit (installation): Run in background, use GPS, use the camera, use the microphone, etc.
- Prompted ("personal information"/"cost you money"): Access your cellphone number, access your contact list, access your calendar, access your email, read/send texts, make calls, etc.
Users in the current Android ecosystem learn to ignore permissions pretty quick as most are for trivial stuff (e.g. internet access, store data on the SD card, store an account, etc).
Worse still a lot of users will skip apps that ask for too many permissions which is bad for both the app developer AND users. Most developers want to offer functionality (e.g. share to contacts) but don't want to do so at the cost of losing users ("Why is this asking to see my contact list?").
Android needs to drop a bunch of "silly" permissions that have no inherent cost to the user. They're clearly created by an engineer who just wanted to slap permissions on every kind of API for no good reason. It benefits nobody.
They then need to take permissions which have a cost (either literally or to user privacy) and set them up rationally so they're either something you get when installing OR something you'll be prompted for.
Lastly Android needs to add a description field to the permissions manifest where the developer can put in a short explanation for why they need permission XYZ. Limit it to 128 characters if you wish. The app store can display these.
I install less apps on Android largely because many ask for too many permissions. If Google makes it really easy for me to protect my personal information (e.g. prompts) I'll literally spend more money on their store because I'll feel more safe to do so. As a developer I'll also offer more functionality to my apps as there is no permission "cost."