Android has some big app security issues to address, and they just... seem to be moving in the opposite direction. I've seen this update and it simply doesn't make sense to me. It didn't make the permissions more clear, it made me more scared of what might be hiding underneath all that.

I don't remember ever stopping an app installation when I saw suspicious permissions—I just assumed they were used for something, and I guess that's what 90% of the people would do. It would make all of them more secure if they could choose a small "ask me every time" option next to permissions that don't seem quite right, but may be legit.

Or overhaul the whole API. It's really a mess at times. Not just security. I have a beef with the horrible ways to address ridiculous hardware and software fragmentation, right from the ways you specify design and looks to using API features not available everywhere, or falling back to reasonable defaults if there isn't a hardware component you need.

I haven't developed for iOS, but I imagine it's much better than Android as a platform to develop on.

The downside is it requires root, but it works very very well.

http://forum.xda-developers.com/xposed/modules/test-xprivacy...

"Contacts required so we can highlight their names in incoming messages. [And spam them, but we're not telling you that...]"

Take contact lists as an example.

Many programs request access to your contact list. Usually, this is so that they can display back to you a contact picker that lets you choose some set of contents which you want to share with, or otherwise invite to use the app. A few bad apps will just spam your contacts without your approval.

How could we make this more secure? Well, imagine that Android itself implemented a contact picker API. Instead of requesting access to contacts upfront, a program would call an API to say "Please ask the user to select some contacts for purpose X". The platform itself would then render a contact picker UI, and the user would pick some contacts. Only the chosen contacts would be returned to the app.

As far as the user is concerned, for legitimate apps, the UX I described is exactly the same as what they get now, except that the app doesn't have to request general access to the user's contact list upfront, and thus the whole thing is more secure. It's strictly superior! And this approach -- of inferring security from decisions the user is making anyway, by making those decisions happen in privileged UIs rendered by the platform -- turns out to extend to far more than just contacts.

This is the model I'm currently implementing in https://sandstorm.io (a platform that can be summarized as "Android for your personal server").

But Android is also supposed to work through ContentProvider components that enable access to databases. Sometimes you need more than a PICK action performed by an external app. As in the case when you want to make an alternate implementation of a contact picker.

This is why the issue has to be addressed directly, by making many if not all permissions optional, and settable per app. Handling a SecurityException is not burdensome. Much of the permission overreach is due to crappy "behavioral targeting" data collection that doesn't really work. Nobody will miss it.

1) The Android UI designers need to get on it and figure out how to make the contact picker more acceptable to developers. This could involve adding some flags that adjust the look and feel. But keep in mind that Android apps are all supposed to be following common design guidelines anyway, so apps shouldn't be excessively customizing common elements.

2) Don't let apps request access to all contacts in the first place. Don't give them any choice except to use the picker. Obviously it's far too late for this now, but if it had been done this way in the beginning, then there would actually be pressure to make the system picker work acceptably.

I suspect this is why people on Android (including myself) get honestly scared when they see the permissions most apps need. They're way, way too broad for what the apps need to do, but the app developers have no choice as there's nothing more fine-grained.

Why does that take a permission? Can't Android just tell an app "your sound is being paused", cut sound, and display the dialog?

It sounds crazy to me that apps actually have to cooperate on this kind of thing, why do they even get a choice?

I don't know if it can, but it doesn't. To respond to external audio changes, an app has to use AudioManager.OnAudioFocusChangeListener [1]. You can then define behavior for various cases, like AUDIOFOCUS_LOSS (another app has started playing audio, don't expect it to stop), AUDIOFOCUS_LOSS_TRANSIENT (another app has started playing audio, but it might stop soon so be ready to regain focus) and AUDIOFOCUS_LOSS_TRANSIENT_CAN_DUCK (another app has started playing audio but it's temporary, so you can just lower your app's volume until you regain focus).

This is all voluntary. By default, an app playing audio won't respond to these signals at all. And how you respond to them is voluntary too - if you decide to just lower your app's volume instead of pausing the audio, even though you didn't hear CAN_DUCK, there's nothing to stop you.

If you want to pause audio when the headset is unplugged, you have register a receiver for the ACTION_AUDIO_BECOMING_NOISY intent. By default audio will continue playing.

>It sounds crazy to me that apps actually have to cooperate on this kind of thing, why do they even get a choice?

Some people might not want their music player to pause every time they get a new text message or email alert.

[1] https://developer.android.com/reference/android/media/AudioM...

Yes, but that shouldn't be the apps choice.

I usually hate assumptions of malice, but I can't see any engineering reason here. Yet training users to accept tracking is in Android's favor.

Is it really that difficult to have a list of fine grained permissions presented to the user with on/off selections? They can all be on by default but it at least gives the user the option to have an app NOT to access your contacts if it clearly has no business doing so in the first place (some dumb game or something).

If an app is not granted a permission it's up to the app to deal with that.

I think that eventually app coders would change their code to degrade gracefully when denied access to something, but in the short-term, people would think that Android was unstable.

It's extra work for a developer to handle a "permission denied" exception for each external call, but they can do it. A changeover could be done by grandfathering old apps, but requiring all new apps and updated apps to accommodate fine-grained permissions.

If customers had fine-grained control, many apps could no longer be monetized without direct payment from the consumer. An example: The free 2048 app surely doesn't need internet access to run, but it needs it to serve ads.

Extra work and loss of revenue --> grumpy developers switching to other platforms.

Difficult to do at all? No.

Difficult to do without horrible UX? Yes. Fine grained permissions means apps that do useful things need lots of them, and presenting all of them with "on/off selections" is likely to be both ugly and confusing for most users.

There's also a tab for non-privacy-related permissions, e.g. vibrate, notification, keep awake, etc, which are on by default, to make sure the app isn't unnecessarily limited by default. It's miles better than the default Android permissions system, and one of the features I like best about the phone.

Android could very easily implement something like that, with a dialog asking if the user wants to grant the permission, with perfect backwards compatibility (since there are devices/software that does it now), and I hope they do.

     - [*] Phone
     |  |--[ ] Make outgoing calls
     |  |--[ ] Answer incoming calls
     |  \--[X] Read call log
     |
     + [X] Access Location Services
     |
     - [ ] Network
     |  |--[ ] Outgoing connections
     |  \--[ ] Incoming connections (listen)
      ...

At least it gives me as a user a choice (which I guess I already had with the blanket permissions scheme) but it also gives me as an app developer the opportunity to create a better app that's more trust worthy.

(I.e. stub the api, have it return mock data.)

I've never had an application refuse to run because of it, and I'll never use a phone without XPrivacy again (it's scary what some apps request).

I understand that permissions are a little bit different but I believe that a similar approach would work with permissions as well assuming that Android would supply a new advanced permissions sub system. With this, if an app isn't granted a specific permission it can either disable the feature (maybe making clear to the user that this is the case) or implement some other alternative functionality.

E.g. an app hasn't been given the permission to read a user's current geo-location. In that scenario the app could ask the user to manually enter a location (e.g. by selecting a position on a map).

Within the current permissions system you could only doing with mocking, as you stated, which I personally find a bit of a hack and probably very confusion to the user.

http://en.wikipedia.org/wiki/Progressive_enhancement

Let's say it takes a permission to play sound. If you don't tell the app they can't play sound they may spend a lot of CPU and battery generating music that no one will ever hear.

So the phone uses more CPU and battery. It's not that big of a deal.

Or if you stub in the photo APIs, what does an app do when it tries to find a photo to show and the user said "no". Should Android pretend there are no pictures? Return some fake stock pictures?

Yes, Android can tell the app that there are no photos.

If you fake GPS data than if the user accidentally turns off location access on an application that needs it the app has no way to inform the user that it won't work well. As far as your run logging software knows you are now just running on the same treadmill for the rest of your life.

We are all accustomed to using GPS-related apps when we have no GPS signal. How is this any different?

> So the phone uses more CPU and battery. It's not that big of a deal.

Battery life is very important in a phone.

> Yes, Android can tell the app that there are no photos.

It could also tell the app "You have been denied the GPS permission."

> We are all accustomed to using GPS-related apps when we have no GPS signal. How is this any different?

Really? I'm not. And what if turning off GPS was accidental? I'm used to apps telling me "X won't work because GPS access has been disabled." Just breaking the experience with no way of notifying the user why their run logger stopped logging runs is not acceptable design.

Plus, as others have said, there's nothing wrong with giving users the option.

However, there are also cases where the developer wants to add a useful, but not necessary, feature which requires additional permissions.

core idea here — making Android app permissions comprehensible to normal users — is good.

What sort of "normal users" didn't understand the previous system!? What sort of "normal users" wouldn't know the difference between e.g. sending and receiving SMS, or the camera and microphone?

Instead of making software for idiot users, how about expecting them to have a little knowledge and be able to find more? It's even funnier when you realise this change is coming from Google, who runs services that almost everyone uses to find information. In general the big effect this change has is people will know less about what the software on their device is doing, and also be less inclined to ask questions about it --- because details are replaced with vagueness, they won't know what to ask. This also gives power to Google and the app developers to make privacy-disrupting changes without the users knowing. Taking away control and detailed information is the perfect way to minimise dissent in your userbase and have them think and do what you want them to.

Under this sugar-coated guise of "simplification", "convenience", "minimalism", etc., users are gradually being converted from individuals with the power to make their own decisions, to consumers who are complacent followers not knowledgable enough to revolt. The simplest life, where others in power make all your decisions for you, is one of complete submissiveness. My reaction to this can be summed up in 3 words: Do not want.

If I can't understand their scope, I have no idea how the metaphorical average user will.

That would actually be an effective warning.

But really, Google doesn't want effective warnings.

You shouldn't.

Granting all-or-nothing permissions at install time is not a viable security model for a consumer-oriented operating system. It could work in an enterprise environment where each new app has to be approved by management and go through a lengthy 'certification' process. However, unlike enterprise apps, Android has otherwise decent security based on the Linux kernel and proven, rock-solid app sandboxing.

Android needs to split the current permission list into two categories. Basic ones (like Internet access) that could be granted at install time and privacy-oriented ones (Camera, Location, etc.) that the user gets prompted for, just like on iOS.

Breaking existing apps could be avoided by feeding them empty or fake data (Location not available, Camera in use by another app, etc.) and providing new APIs to detect rejected permission prompts for developers who decide to update their apps.

Users have a right to privacy and the operating system shouldn't require sysadmin-level knowledge to let them protect their data.

What I really want is a tier of permissions that I can totally trust. I want to be able to install any random app from any random developer and know it's not got ability to harm me. This change seems to ruin that. They can install it with lite permissions and then upgrade them later and I won't be notified. Most especially I want this for my wife, mother and children. They need simple instructions: only ever install apps with permissions like X. But again, this change ruins that. Permissions like X get escalated to permissions like Y without notification. I'm really not sure what you can tell anybody to keep them safe now other than "don't install apps. Which is probably what I will start doing.

If an app just needs permission to my contacts for its optional import contact feature, it is certainly not mandatory. There could even be an API call to ask the user to reconsider the permission (same as Google maps asking the user to enable location reporting).

[1] http://techcrunch.com/2014/04/04/the-right-way-to-ask-users-...

Apps can ask for permissions only when it really needs them, and explain why need them.

There are apps that spam permissions requests. Let's take some kind of Foursquare thing that needs see your photo library, GPS location, and contacts because of how it works. Poorly written apps will often just spam all three requests when you first open the app instead of asking for your contacts now, your photos when you try to select one, and GPS when you try to tag somewhere.

Notifications are also a problem. At this point nearly every single app I download has the first run experience of asking to send me push notification (answer is basically always "No") which is a poor experience and just trains people to smash "yes" or "no".

By the way, if you hit the wrong one how do you fix that? I bet 90% of users don't know, and would just delete and reinstall the app.

However on iOS apps are NOT allowed to explain WHY they need a permission. The dialog boxes are generated by the system to prevent gaming. Well designed apps will set the user up, showing you a little screen saying "We're about to ask for access to your camera roll so you can select a picture", poorly designed ones just pop-up the dialog.

It works fine for me. The only thing I'd like from Apple is an additional permission for non-push notifications. I don't want every app I install to automatically get access to send non-push notifications. I have to go turn that permission off far too much.

The common model I'm seeing is the app will ask the user beforehand, giving the proper explanation. If the user agrees, then they are prompted with the OS level permissions dialog.

What if when installing, you could be presented with all the permissions, and a on/off switch for the optional ones, where you could be even prompted for them later (similar to the article)?

But I suspect too many applications would deliberately be set up to either have no optional permissions or would be set up to pop up a screen saying "please enable permissions" and close if you turned any of them off.

I'm not sure I think this is so bad. Granular permissions can be annoying and confusing. If you surveyed the Android owning populace how many really care about rough/accurate location? "I want this app to know where I am" doesn't seem that bad. Read vs send SMS? I can sort-of see why you might want an app to only send, but I can't think of a case where you'd only want it to receive.

I may be colored by living in the world of iOS. There are very few permissions. Apps have access to your location or they don't. They can see your phonebook or they can't. They can access your photos or nothing. The fact that Android has more 'dangerous' abilities (sending SMS, phone calls, etc) makes it more difficult.

Some of this may just be poor categorization. I would expect most phone related stuff (phonebook, dialing, call log) to be under a single permission, but the ability to re-route calls should be under a different one (or only setup through settings).

I'm also surprised that there is a permission for using internet access. How many apps really don't need that? It seems like most everything people would want to use (games that show ads or scores, social media, browsers, etc) would need it, so you're just training people to say 'yes'. The keyboard example is a good one, but that sounds like certain things should just be a special type of app with different restrictions.

Sounds to me like Google is trying to fix the 'every app requiring every permission' problem by reducing the choices to be more understandable.

The permissions required by an application can change from one version to another. Previously, if an update demanded more permissions than the version it replaced, the user would be asked to confirm the change. Now, this permission "upgrade" will sometimes be allowed silently.

I can understand the first given what they're trying to do, the second would be outrageous.

I'm also surprised that there is a permission for using internet access.

A few months back I had to deal with this on my home network: https://adblockplus.org/forum/viewtopic.php?t=11849 My brother had Adblock Plus on his Android tablet and it was continuously sucking down data to do nothing, presumably in a background process.

It makes sense that if you want to give devs lots of power when making apps, you need to give users finer grained permissions. Maybe you can group things or whatever, but you probably shouldn't be making permissions coarser grained or forcing users to install 3rd party apps to get control of their phone again.

This is one of the reasons I use iOS. I don't really have to worry too much about apps doing dodgy things because they are severely hamstrung to begin with.