Hacker News new | past | comments | ask | show | jobs | submit login
How to ask users for iOS permissions (medium.com/mulligan)
58 points by gr2020 on Jan 5, 2015 | hide | past | favorite | 22 comments



This is an amusing tutorial on how to scam users into giving your app more permissions than it needs. Their popup text reads "Heyday would like to access your location Heyday uses your location to journal places you go. It's completely private and secure."

Now compare their privacy policy:

"If location services are enabled on your mobile device, our HeyDay application will passively and automatically send location information to Hey, Inc..."

"Hey, Inc. cannot guarantee your safety and security and you should be aware that submitting any information and using the Services is done at your own risk."

So, in the popup, they claim to take responsibility for the security of location data, but in reality, they're tracking you at all times and don't take responsibility for the security of the data.


Are there no legal consequences for telling the user one thing in the UI and another in the TOS? Obviously this would require some sort of challenge in court, but there's at least some avenue for a remedy to this kind of behavior, no?


I'm pretty sure you'd have a case in the EU (at least the "completely private" BS seems dodgy), not sure about the US.


Actually, an easy way to get your privileges after they were declined is to open the URL "app-settings:". In iOS 8, the settings page for any app includes easy access to the permissions, including at least location, photos, notifications, microphone, background refresh, and cellular data.

Quite a bit simpler, and takes the user right to it. Of course, you still have to initiate the action, but again this can be done at a relevant place in the app.


A simple example of the best practice described here is to display a checkbox that says "Allow us to use your camera". Then if the user toggles the checkbox the app immediately presents the system permission prompt.

When you see it in action it feels really natural and less jarring to the user.

I've noticed this in a few apps so it seems like it's becoming a design trend, and a good trick to learn from for those that make apps.


I'd much rather see this as an on-demand permission request... when I see permissions that make no sense for what I think an app is, I tend not to install said app.. right off the bat.

I don't know if Android offers similar on-demand permissions, but it would be a much nicer experience.


> I don't know if Android offers similar on-demand permissions, but it would be a much nicer experience.

The answer is sadly no. Unfortunately this leads to developers pre-emptively asking for permissions they might need in the futiure at install time, in case the request for more permissions in a future update causes the user not to update.


I've noticed this with websites in Safari recently, the first thing you see is "Allow <site> to send push notifications", and I immediately click no - I just want to read the article!

It's always better to wait to see if someone's interested or just exploring.


Is this on Mac (desktop notifications?)

I don't think iOS Safari has anything like this


Yes, it's a feature that was introduced with Mavericks.

https://developer.apple.com/notifications/safari-push-notifi...


> Only 3% of users who clicked “Give Access” clicked “Don’t Allow”, meaning less than 2% of total users denied access at a system level.

How many normal humans could anticipate that saying "yes" then "no" was the only way to say "no"? Putting a preemptive "obey/ask me later" dialog before the system one is slimy, but not unexpected.


Not sure what you mean by that. There's no benefit to explicitly denying the app permissions -- declining the app's pre-permissions dialog just means it never requests the permissions at all.


Declining the app's pre-permissions dialog means they can request it again. Accepting the app's dialog, then denying it at the OS level means that, at least with the library they link to in the post, the pre-permissions dialog won't pop up again.


sure the preemptive dialog could pop up again, but instead it would say "go to settings to fix the problem"


... but (perhaps, if poorly implemented) it may lead to the app constantly "nagging" you about granting permissions.


Here is a pre-permission utility that supports (almost) all of the permission types on iOS:

https://github.com/jlaws/JLPermissions

pod "JLPermissions/Calendar" pod "JLPermissions/Camera" pod "JLPermissions/Contacts" pod "JLPermissions/Facebook" pod "JLPermissions/Health" pod "JLPermissions/Location" pod "JLPermissions/Microphone" pod "JLPermissions/Notification" pod "JLPermissions/Photos" pod "JLPermissions/Reminders" pod "JLPermissions/Twitter"


Sometime app ask for permission right on spot that it's needed. For example when sharing with friends, they ask for contacts permission so they can fill in "to:" field of a "send to a friend" dialog. It's all reasonable and nice until you realize the app sent your entire addressbook to their servers and you start seeing recommendations to connect etc from your friends contacts in the app...

Can iOS solve this?


I don't think they can, not without forbidding apps from getting access to the entire address book altogether. That would rule out a whole class of apps that actually need that functionality (WhatsApp, for example).

A good citizen on iOS (as of iOS 8) that wants to get a single contact from the address book will always use the system contact picker to choose a single contact without requiring full access to the user's address book. That's opt-in, though; a bad actor can still require that the user give full access to the address book. You (as a user) just have to hope that the review process caught whether or not an app is being misleading about what it intends to do with your contact info.


If the OS provided an interface for SELECT_CONTACT or SELECT_CONTACTS that allows for single or multi-select... then can only see the contact info for the contact selected, that would be cleaner, and not expose all of one's contacts.


That's exactly what the system contact picker does (it gives the app access to the selected contact, without giving the app access to other contacts or to future changes to the selected contact). There are apps out there where exposing all your contacts is a desirable behavior, though, so they can't get rid of the "read all contacts" permission.


Venmo does this, and after much back and forth with their support they still refuse to delete the contacts they stole from my phone. I've since disabled the permission, but I still get push notifications from them after contacts that I had on my phone then join Venmo.

It would be amusing if it weren't so invasive that their support folk claimed that they can't legally delete the stolen contact info because of the PATRIOT Act. Then changed tack and promised to write a feature for it real-soon-now (this was about a year ago and of course hasn't happened).


They could/should to some extent by adding an option to allow only a single use of a permission. This would be useless for contacts, but much more useful for e.g. location.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: