App Permissions: You Want My What?!

We’ve reached a time wherein the wonder and amazement of the Internet is no longer a buffer for underlying privacy concerns. In fact, now is as good a time as ever to worry about the safety of your data, especially following such scandals as the Android/iOS tracking story, and, of course, the Sony hacks.

Most of the scandals popularised in the media stem from illegitimate causes such as a series of hacks. However, you could be exposing valuable data yourself just by using apps that you optionally, and intentionally, downloaded and installed.

The Current State

Currently, Google does a fairly good job at telling you what an application will be using and accessing. Both of their major app stores – the Chrome Web Store and the Android Market – prominently display a list of permissions the application or extension will be requesting, so you can analyse them and choose whether to install or reject. There’s a list of about twenty two different permissions that an application can use, each of which has an associated warning to alert the user ahead of time that this will occur.

So, surely this is a good thing? It is. However, a lot of people don’t really read into the decisions they make online (how many terms and conditions have you read?) and just hit the Accept button for speed. This means that seemingly innocent app can really access a bunch of differrent permissions that have been approved by the user, even though he or she does not necessarily desire the app to hold these — a modern day Trojan horse.

An Example Scenario

As Michael pointed out in one of his Q&As, Facebook requests the fine (GPS) location permission, which is described in full as so:

Access fine location sources such as the Global Positioning System on the device, where available. Malicious applications can use this to determine where you are, and may consume additional battery power.

This seems pretty dramatic, but in fact, it’s just to allow Facebook to check you into Facebook Places. When installing the application, the permissions are clearly marked out in advance, as shown in the screenshot below. Therefore, the scary orange warnings might have a legitimate reason for being accepted, so don’t immediately let them scare you off installing an app.

Permissions on the phone-side Market app install.

Of course, this doesn’t mean that, just because you know the app is requesting permissions, that it is not doing anything malicious. You could easily download a simple app or widget that requests to use paid services (like your phone) and mindlessly pass the permissions screen.

WWGD?

So, what would Google do then? It’s hard to say, since Google is already do a pretty good job at notifying users which permissions are going to be accessed. The only logical step up is to create the same walled garden effect that Apple has, with high levels of scrutiny on each app. Although this does remove the whole open source and unrestricted attraction of Google, it’s something that works and (start the hate-powered engines!) makes iOS apps that little bit safer.

In March, Google did pull 56 malicious apps from the Android Market and explained their decision on their Mobile blog. Google mentioned their kill switch as a means of remotely removing malicious apps, with shows some steps towards tightening security and monitor malicious activity on phones.

Google addressed some of the issues in a blog post in March.

Final Thoughts

Privacy is a hot topic at the moment, and we’re all focused on protecting it right now. Google has taken some nice steps to actually explain to the user exactly what an application will be requesting, meaning consumers have a little more control over an app’s usage of their handset and their data. Google has taken good steps to ensure handset security, without resorting to Apple’s method of high censorship and scrutiny. Unfortunately though, it does not seem they can go much further without introducing more censorship.

The scandals that we are seeing with our data are becoming part of everyday life are becoming too common, but they are almost becoming a necessity in order to maintain a connected life. What steps should Google be taking?


  • http://ericwoodward.org Eric Woodward

    I think it might be a good idea for Google to offer an optional “Approved By Google” subsection of the market. For a small fee / percentage of cost / percentage of ad revenue, Google could verify that the code is not malicious or dangerous, and then stamp it “Approved By Google”. This would give android users the best of both worlds – The walled garden approach, for those that want it, while at the same time allowing new apps to appear in the market before without having to wait for approval.

    In fact, if Google won’t do this, someone else ought to. There’s probably quite a few people out there that would be willing to use a curated market, even if it had fewer total app choices.

    • Connor Turnbull

      A few people willing to use a curated market? There’s a hell of a lot of Apple users! :P

    • Colin Robertson

      That’s actually a good idea – I’m just not sure how practical it would be to do it.

      For Apple the cost of vetting these apps is built into the SDK charge and the phone itself. It’s part of the architecture of the entire experience so they factor that in when deciding on prices.

      For anyone else to do the cost of vetting the apps would need to come out of the profit made on the app itself.

      It’s going to be much harder to get enough of a margin on a $0.99 app to justify paying someone to look through the code than if you are assuming you’ll have that cost when selling the phone.

  • http://bewinxed.deviantart.com Bewinxed

    Privacy is overrated :P google is doing it’s best to provide awesome services for people for FREE!, and people keep accusing it of violating their privacy, google is doing a really good job alerting people to any kind of permission anything is requesting, personally i think privacy is overrated, reallly -.-/

  • Thomas

    How about the ability for users to deny an app certain rights?
    I’m sure this couldn’t be implemented immediately but maybe for the next big update?

    What certainly needs improvement is the notification when an app update requires more rights. At the moment it shows all rights and there’s no easy way to distinguish existing from new rights.

    I also agree that privacy is mostly overrated but it all depends on who uses this information and how.

  • http://michaeljameswilliams.com/ Michael James Williams

    I like the way Facebook deals with it: apps can request a new set of permissions at any time, and the user gets a new Permissions Request dialog whenever that happens.

    So, your app might start out just wanting the permission to post to your wall, and then later it might ask for your name so that they can offer more personalised things, and then still later it might ask for access to your inbox… each time, you can just say, “No thanks”, and it just means you won’t be able to use that part of the app.

  • http://www.mannuforall.in Manojr Tiwari

    Ya, its very hard to understand lots of permissions and no one can understand why that app needed them.

  • http://www.apkrox.com dontchange

    …………….hmmm………………nice post

theatre-aglow
theatre-aglow
theatre-aglow
theatre-aglow