Forgot your password?
typodupeerror
Android Cellphones Google Security

New Permission System Could Make Android Much Less Secure 249

Posted by Soulskill
from the this-app-is-requesting-permission-to-shock-you-with-a-tazer dept.
capedgirardeau writes: An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. For example, the SMS permissions group would allow an app access to both reading and sending SMS messages. The problem is that once an app has access to the group of permissions, it can make use of any of the allowed actions at any time without ever informing the user. As Google explains: "It's a good idea to review permissions groups before downloading an app. Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted."
This discussion has been archived. No new comments can be posted.

New Permission System Could Make Android Much Less Secure

Comments Filter:
  • by matthewmok (412065) on Wednesday June 11, 2014 @01:44PM (#47215223)

    I don't think it has to be explained why this is a potential problem. So then, it should be explained why this is such a great idea that the problems it creates are insignificant.

    • by markkezner (1209776) on Wednesday June 11, 2014 @01:48PM (#47215281)

      This permission grouping is the exact opposite direction that Android permissions should be heading. There are a number of permissions, such as "Read Phone State and Identity" that should be broken up because they aren't even strongly related to each other.

      • by Russ1642 (1087959) on Wednesday June 11, 2014 @01:59PM (#47215425)

        They should be moving towards a model where you can individually allow or disallow a permission, even if the app says it requires it. But this would cause chaos for all those apps that require 'full internet access' so they can push ads, collect data, invade your privacy, and molest your children.

        • Well, no. (Score:5, Insightful)

          by Anonymous Coward on Wednesday June 11, 2014 @02:29PM (#47215725)

          Google wants companies to actually write apps for the Google Play store. If they give end-users too much power over the permissions, they drive companies out of the Google Play store and over to the Apple store.

          On the other hand, Google also wants end-users to actually buy these products. By grouping permissions up, they seem innocuous, so users feel less threatened (even though they should feel more threatened) and will buy the stuff.

          From a business perspective, this move makes perfect sense. From an educated geek end-user's perspective, it really sucks. But what are you going to do? The world you want to live in does not exist.

          • Re:Well, no. (Score:5, Insightful)

            by epine (68316) on Wednesday June 11, 2014 @03:08PM (#47216229)

            From a business perspective, this move makes perfect sense. From an educated geek end-user's perspective, it really sucks. But what are you going to do?

            First of all, I'm not going to purchase any of those fancy apps. I'm going to use my smart phone as for phone calls, photographs, maps, and web browsing. While it's truly a waste of a beautiful technology, it's merely inconvenient not to bother with all those invasive programs.

            I consider the new security model worse than not having the apps at all.

          • by JeffOwl (2858633)
            The world I live in includes fine grained permission controls and even spoofing information so that apps don't crash. Yes, it requires extra work to set up, but I don't mind and even enjoy the tinkering. Yes, that isn't everyone, but I need most of you to stick with the stock business model to keep the ecosystem healthy anyway.
          • And they'll stop geeks, some of the potentially most heavy users of their technology, from leveraging them, recommending them, or wanting to develop for them.<br><br>I don't see that the current permission system was preventing anyone developing anything. Have you noticed how many apps are on Google Play? This seems like trying to pursue business that is already being done....
          • Re:Well, no. (Score:5, Interesting)

            by Rich0 (548339) on Wednesday June 11, 2014 @03:44PM (#47216675) Homepage

            But what are you going to do? The world you want to live in does not exist.

            Simple, install XPrivacy. Problem solved. App wants a IMEI? No problem - just give it a random one, or a different one on each boot.

            • and this requires root, which is throwing out the baby with the bathwater. as soon as you root, the entire sandbox runtime model is out the window.

              • by AmiMoJo (196126) *

                as soon as you root, the entire sandbox runtime model is out the window.

                That's not how root works on Android. For an app to get root permissions there are only two ways. The method used by the 'su' app that grants permissions to other apps is to be installed via the boot time recovery console, similar to single user mode in Linux. It requires extensive user intervention. Other apps can then ask the 'su' app for various root level permissions, and the user has to grant them individually. Most 'su' apps offer features like a 15 minute time limit on permissions.

                So it doesn't break

          • by amjohns (29330)

            So you're saying developers will flee Google Play for Apple - if Google implements the EXACT SAME privacy/permissions controls iOS already has??

            Lack of control over app permissions, just having to blindly accept whatever an app requests all-or-none, is precisely why I avoid Android. Now they've just made it even worse!

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          So get cyanogenmod. There, you can install an app and revoke permissions later. A simple use is to install "angry birds" (or similiar games) and then revoke the internet permissions. No more ads, the game still works. (It has to, to the game it merely seems like you aren't online at the moment.)

          Also, android has a linux kernel, which means iptables-based firewalling works. So go ahead and block ad-servers and such.

          • by tepples (727027)

            No more ads, the game still works. (It has to, to the game it merely seems like you aren't online at the moment.)

            Until it disables starting the game because the player hasn't connected to the Internet for weeks.

          • Also, android has a linux kernel, which means iptables-based firewalling works

            Not necessarily.

            On my phone the kernel was built without iptables support.

            I had to beg for the modified kernel sources, wait 3 months to get them, and then waste a lot of time to learn about the stupid idiosyncrasies of 'android is not gnu', just to get that standard linux feature working.

        • by Paco103 (758133)

          I don't get why. I have PrivacyGuard on CyanogenMod, and it allows me to individually approve or deny permissions. So far, no app has broken in any strange, unexpected way. Some apps ask for SMS permissions because they have the ability to text friends for shares. I deny that ability, because I don't use that feature. It may be legitimate, or they may have provided a legitimate excuse to mask more nefarious behavior. Likewise, I've blocked GPS access to all apps except maps. For anything else (weathe

      • by kaladorn (514293)
        I'd agree entirely with that.<br><br>I'm already not sanguine about the permissions apps ask for (and in fact, several security research firms have pointed out the risks). Often times, a well meaning dev will explain that he has to have X permission because google has buried one particular function (not always obviously related) into that permission and that function makes sense for the app. You almost get the feeling the dev is apologetic in many cases and would like to just have a single finer
        • Often times, a well meaning dev will explain that he has to have X permission because google has buried one particular function (not always obviously related) into that permission and that function makes sense for the app. You almost get the feeling the dev is apologetic in many cases and would like to just have a single finer grained permission.

          Where I come from, such an explanation has a name: a "privacy policy".

          And one more thing: How about installation require the minimum number of permissions to make the basic app functions work and additional permissions queried and granted/denied if optional features are enabled?

          If you're talking about a checkbox to turn permissions on and off, the party line is that that would cause apps to crash. Too many existing apps are not designed to catch the SecurityException that the system would throw if the user were to disable a permission.

          Otherwise, in Android's current security model, the developer could separate each optional feature into a separate helper app that gets its own set of permissions, and the helpe

      • by Chalnoth (1334923)

        The problem with moving in that direction is that this moves Android in the direction of TOS agreements: nobody bothers to read TOS because they're too long and take too much time to read.

        Sure, it's true that grouping permissions reduces how fine-grained the information is, but it also lowers the cognitive burden, making it more likely that people will actually pay attention to the permissions that an app has. Users should naturally assume that an app that has SMS permissions may, at some point, send SMS m

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Its a great idea because most people are idiots who click 'Accept' anyway and this will mean less apps break. As for the problems.. what problem.. you wanting privacy is a bigger problem for Google's business.

    • You'd have thought Google would have copied the iOS approach to permissions by now.

      (Denying a permission doesn't stop the whole app from working if there are things that the app can do without the permission. Permissions are requested from the user when the app first tries to do the restricted thing. They may be accepted or denied, and may be changed at any time in the future.)

      • by 0123456 (636235)

        Yes, but that would help users block tracking and advertising, so it's a no-no.

        The absurd permission demands from simple, crappy applications is why I'd love to see a real alternative to Android that doesn't cost Apple prices.

    • I don't think it has to be explained why this is a potential problem. So then, it should be explained why this is such a great idea that the problems it creates are insignificant.

      The Android permissions model is a mess and has been since day one, but not in the way most Slashdot geeks are up in arms about. When was the last time you actually looked at the full list of permissions? It's ridiculous. You have to be an Android developer to understand some of them. Many are pointless in the extreme: the result o

  • Whew (Score:5, Funny)

    by Anonymous Coward on Wednesday June 11, 2014 @01:44PM (#47215225)

    Makes me glad I run a Windows 8.1 phone.

  • by DoofusOfDeath (636671) on Wednesday June 11, 2014 @01:44PM (#47215235)

    So this is a bit off-topic, but probably the right time to ask...

    I've been increasingly concerned with my lack of control over my Android (Verizon) phone. This current issue lies in the same area as my earlier worries.

    Is this the kind of problem that cyanogenmod addresses? I didn't have the time, or ability to live with a broken phone, to try it out earlier. But I'm about to stop traveling so much, so I'm wondering if it's time to give cyanogenmod a try.

    • Re:cyanogenmod? (Score:5, Informative)

      by wbr1 (2538558) on Wednesday June 11, 2014 @01:53PM (#47215337)
      No. Rooting will allow you to remove unwanted apps that are locked on by the manufacture or carrier, as well as give you access to the entire file system.
      Using an alternate rom (ie cyanogenmod) will allow you to use different android versions, with different (or no add on) UI. These are things like touchwiz or HTC Sense. The permisions system for apps remains the same. Also, cyanogenmod and other ROMS may not support all your hardware or be stable (but then again some carrier builds are not that great either).

      There are programs that when rooted will allow you to block access of apps to certain subsystems, giving finer grained control, but it is not automatic, you have to go in and do it yourself, and that is regardless of the ROM/android version.

      • Thanks. But is it safe to say that with Cyanogenmod, it's at least possible to install an app / tweak that will refuse to let apps use certain subsystems (such as GPS) if I so choose, whereas I have no such control with the carrier-supplied Android version?

        • Re:cyanogenmod? (Score:5, Informative)

          by Anonymous Coward on Wednesday June 11, 2014 @02:00PM (#47215435)

          Yes. It absolutely IS possible. Cyanogen calls it Privacy Guard, and I have it enabled by default, such that anything I install from Play automatically gets blocked unless I go in and enable something specific.

          • by wbr1 (2538558)
            Good info. I haven't used cyanogenmod for some time, so I was not aware that was baked in. I used to use an app on my rooted devices (regardless of android build) for it, but now I am just picky about what apps I actually install.
      • Re: (Score:3, Informative)

        by Anonymous Coward

        I've done a lot of custom ROM installations, and many of them to support AppOps to expose these granular permissions. Cyanogen has actually expanded upon this functionality.

        • Re:cyanogenmod? (Score:4, Informative)

          by Anonymous Bullard (62082) on Wednesday June 11, 2014 @05:45PM (#47217677) Homepage

          I've done a lot of custom ROM installations, and many of them to support AppOps to expose these granular permissions. Cyanogen has actually expanded upon this functionality.

          Google have chosen to remove user access to AppOps from recent Android releases and while CM's Privacy Guard is a slightly improved and much easier to use approach on those system calls it requires a custom ROM and even those are still limited to a minority of devices. (Hint: consider only buying devices that will be supported by custom ROMs!)

          There is something that is more comprehensive and granular, although more complicated to use as a result. XPrivacy is built upon the well-known Xposed framework (requires root) and it lets the user to control essentially all permissions individually.

          Here's a brief and useful recap by xda-developers [xda-developers.com] about the main options.

      • by rwise2112 (648849)

        No. Rooting will allow you to remove unwanted apps that are locked on by the manufacture or carrier, as well as give you access to the entire file system. Using an alternate rom (ie cyanogenmod) will allow you to use different android versions, with different (or no add on) UI. These are things like touchwiz or HTC Sense. The permisions system for apps remains the same. Also, cyanogenmod and other ROMS may not support all your hardware or be stable (but then again some carrier builds are not that great either).

        There are programs that when rooted will allow you to block access of apps to certain subsystems, giving finer grained control, but it is not automatic, you have to go in and do it yourself, and that is regardless of the ROM/android version.

        Once you are rooted, on any ROM, you can install XPrivacy or PDroid to completely control application access to your data.

    • Re:cyanogenmod? (Score:5, Informative)

      by c (8461) <beauregardcp@gmail.com> on Wednesday June 11, 2014 @02:25PM (#47215693)

      Is this the kind of problem that cyanogenmod addresses?

      With limits, yes.

      CM's privacy guard allows you to block apps from getting at your address book or SMS and such. It also allows you to control things like camera/microphone access. And you can even disable background apps and notifications (for example, I have Facebook pretty much tuned so it can't do anything more than it can in a web browser).

      One notable thing CM doesn't do is allow you to prevent Internet access for apps. I read that this is to prevent someone from downloading an add-supported app and then cutting it off from its ad networks. I order to do that sort of thing, you usually need to root and install a firewall or some other ad blocker.

      Quite frankly, if you've got a phone that's out of warranty or no longer getting vendor updates, installing CM is worth looking into. It's a bit of a pain in the ass the first time (at least it was for my devices), but after that it's pretty smooth sailing.

  • by alrudd1287 (1288914) on Wednesday June 11, 2014 @01:46PM (#47215261)
    cripple apps by denying parts of their permission request. right now its all or nothing
    • by DoofusOfDeath (636671) on Wednesday June 11, 2014 @01:49PM (#47215303)

      cripple apps by denying parts of their permission request. right now its all or nothing

      Funny, I was expecting this crowd to have fantasies of crippling those apps' developers.

      I mean seriously, $(app vendor), your app does not need access to my location and/or phone calls in order for me to do $(menial computation X).

      • by PRMan (959735)
        But the marketing department put it in the Agile Tracker and the PM told me I'd be fired if I didn't move that box....
      • In fairness, while Location is completely optional and generally unnecessary unless the app is designed for the user to make use of the location data, it is generally a good practice for apps to watch for phone calls just so if there's one that comes in while you're performing $(menial computation X), the app state can be saved to storage and the app suspended so if Dalvik decides it needs to free up the memory resources in the middle of your call there's still a way for the app to recover where it was in i
        • by lgw (121541)

          the app state can be saved to storage and the app suspended

          What is this, the 90s? Your app should always be in a "saved" state, or at least a safe one. From consumer apps to backend transaction process, it should always be OK if you suddenly lose power. 20 years ago, I/O performance was so wretched that you just couldn't do this, but today there's no excuse.

          • by tepples (727027)
            Are you aware of how slow the NAND flash is on some devices, especially the 8 GB Nexus 7 tablet? Or how it'd wear out the flash to be saving a megabyte of state in a game every second?
      • >Funny, I was expecting this crowd to have fantasies of crippling those apps' developers.

        There is a lot of insanity and paranoia at /., But I haven't ever seen calls to cripple anyone.


        >I mean seriously, $(app vendor), your app does not need access to my location and/or phone calls in order for me to do $(menial computation X)

        No it doesn't have to, but a developer has the right to require whatever permissions they want in return for their (probably priced at $0) work. The user has the right to
  • The system was already flawed in that normal users could not lock out permissions from specific apps. In addition, not many pay attention to the permissions used by an app anyway.

    If users aren't paying attention (I do, my flashligh widged and scientific calculator do not need SMS or contact access thank you), then no amount of tweaking by adding or removing complexity will help.

    As much as I hate walled gardens, I guess the hope is that the play store is well curated enough to remove most significant thre

  • I want silent denial (Score:5, Interesting)

    by Anonymous Coward on Wednesday June 11, 2014 @01:50PM (#47215315)

    One feature I really want on my cell is the ability to tell the app that I've given it all the permissions it is asking for, but behind the scenes remove that ability from the app. This is especially for apps like games that ask for all permissions, but only really need a few. I should be able to accept the game onto my system and then after adjusting the app's permissions, it would receive garbage contact details, garbage friend details, garbage location data, garbage file listings, messages go to /dev/null, etc.

    I'm sure if I root my device I could do something like that, but I just wish something like that was built in. {I kinda feel safer in my walled garden, easier to recover from garbage apps.}

  • New Permissions (Score:5, Interesting)

    by vandon (233276) on Wednesday June 11, 2014 @01:51PM (#47215323) Homepage

    Just finished updating a few apps on my phone.
    Adobe Air has a new permission group it requests. However, on the 'here's the permissions Air is requesting' pop-up after you hit the update button, they no longer mark the new permissions with "NEW". So now you have to cancel out of the update and go check each and every app you're going to update to see what the new permissions it's requesting.
    Totally stupid move by Google to not even mark the new permissions with 'NEW'

    • Re:New Permissions (Score:4, Informative)

      by Pow (107003) on Wednesday June 11, 2014 @02:10PM (#47215537) Homepage

      Hint: you can still see the onld screen with new permissions marked as NEW by scrolling all the way down in app description to PERMISSIONS and clicking on"View details".

      But I completely agree with you. Totally lame move by Google. I want to see this screen when I press the update button. Config option for advanced users would be sufficient.

  • by khellendros1984 (792761) on Wednesday June 11, 2014 @01:53PM (#47215341) Journal
    I routinely deny apps their updates because I don't like their modified list of permissions. This sounds like it'll make it harder for me to use my phone the way that I want to (which is the reason that I decided against an iOS phone in the first place). Google, you're whittling down my reasons to stay with your devices (or at least with the stock OS).
  • Xprivacy (Score:5, Informative)

    by SuperBanana (662181) on Wednesday June 11, 2014 @01:54PM (#47215357)

    Install XposedFramework:
    http://repo.xposed.info/module... [xposed.info] ...then the Xprivacy module.

    This isn't a great option for many, however, as you need root access. It does give you extremely fine-grained control over permissions, and includes options like randomizing (on each boot) the garbage data returned to apps to keep them happy.

    Xposed is great; the GravityBox module, for example, has a ton of interesting and useful functions, like setting your cellular radio to 2G when connected to wifi, a mode to have an increasing ring, a network speed indicator, etc.

    While I'm plugging Android software I use: the F-Droid open source repository is full of nice stuff (like AdAway.)

    https://f-droid.org/ [f-droid.org]

  • Dumb idea. (Score:5, Interesting)

    by gstoddart (321705) on Wednesday June 11, 2014 @01:55PM (#47215363) Homepage

    I want to have a settings page where I can go in whenever I want and selectively disable permissions.

    This just sounds like more dumbed down version.

    And, cynically, I believe that Google is doing this to ensure they can still collect data on you, and the people using their advertising services can continue to do to.

    This is why when I download a new app, the first thing I do is try it in airplane mode. If it's not an application which should require access to the interwebs, but tries to access it, it gets deleted.

    I must say, I'm disappointed in this. Because I want more control over app permissions, not less.

    • by synapse7 (1075571)

      Why don't you review the permissions from app settings, gives you a break down on time and what was accessed. Google keyboard that I don't used accessed my contacts 50 minutes ago.

    • by alen (225700)

      it's the app developers

      free apps they collect and sell the data to you know, make some money

    • by jader3rd (2222716)

      And, cynically, I believe that Google is doing this to ensure they can still collect data on you, and the people using their advertising services can continue to do to.

      Given that's how Android is profitable for Google why shouldn't they be doing this?

  • The fact is, if an application is desired... and isn't abusing the privileges currently...

    Then 99.9% of users simply click thru a list of 17 permissions the same as they do for a list with 5 permissions.

  • fixed that for ya

  • It might even turn the platform into a toxic hell stew.

  • Broken permissions (Score:5, Interesting)

    by ADRA (37398) on Wednesday June 11, 2014 @02:09PM (#47215527)

    Something like 90% of all apps require access to the IMEI of the phone which requires read_phone_state and that pretty much abandons all pretense of security compartmentalization since it can also see who you're calling, when you're talking, etc.. Most applications should only care and use it for a unique ID token. IF they want to fix permissions models:

    1. Separate the 'phone unique number' from the phone's call state functions. Must have, end of line. This is just plain retarded form day 1
    2. Write in permissions which are optional vs. required. Optional permissions are requested on demand like IOS and can be rejected or permantently accepted. Required permissions must be explicitly allowed when the application is installed
    3. Re-introduce AppOps functionality or at the minimum an audit trail of when-last and how often the application attempts a specific permission operation/category
    4. Consider second tier permissions model where if you want to include common and generally well understood permissions like read_gps there's no hoops to jump through, but if one wants to read and access the variety of accounts I have on my phone, I want to make damn sure that the company asking for this information has at least passed the stink test.
    5. Lastly, I want third parties to be able to flag applications (based on APK signature or through store functionality) as a problem so that even if Google doesn't have the time or resources to police all applications in the sun, I should be allowed to trust a thrird party who can flag programs problems based on any reason they find.
    This allows for uses like:
          - Flag applications for parental categories
          - Flag apps as 'ad-enabled'
          - Flag apps that are outright malicious in terms of stealing data/information
          - Flag apps that violate certain country laws
          - Flag apps that are banned based on administrative oversight (for work phones)
    Having this barrier mandatory or optional is up for debate as well as the ability to unistall is using a 'master' control password, etc..

  • For Google. Android is for the masses. The masses are stupid. Therefore the software for the masses must be written for the stupid. The less functions the better. You don't like it? How often in IT related discussions come lines like this: "MeeMeeMeeMee... I just want to use and not study computer science. You are arrogant. Stupid nerds". In the right forum, 80% applaud this crap. So, this is the result. I am certainly not Google, but I write my software the same way.

  • I would be a lot happier....even with this change.... if they made one other change: allow me to override.

    Very simple "App X requires A, B, C" Why does that mean I HAVE to grant A,B,C too it? Why can't I say "Give it A,B and run it anyway, yes I, the owner of the device, approve this" I don't see why its all or nothing like some sort of stupid contract

    "Well to run our app you must give us access to your SMS messages"
    "I don't plan to use those features"
    "Then you can't run our app on your hardware"

    I mean don'

    • as the owner of the device....isn't it well.... my problem if I break an app?

      The problem is that too many end users are not knowledgeable enough in how computers work to know whose problem it really is. They think it's Google's or the phone manufacturer's because the app broke.

  • I thought the Google Play store always showed the top level permission in the list as opposed to the more fine grained ones? Is the only difference that applications will now be able to use anything in the category displayed?

    In either case Google does need to ressurect AppInfo, the argument that applications can't handle not being provided a given permission is bogus - I don't believe there are any permissions which do not have an empty value which the application should already be capable of happily consu

  • by hsmith (818216) on Wednesday June 11, 2014 @02:57PM (#47216093)
    So what does it matter? How many people read the finely grained permission pages when installing apps as is? Perhaps this approach will be better because it will condense it into something people will be less likely to "ok" without reading.

    Doubtful.
  • by QilessQi (2044624) on Wednesday June 11, 2014 @03:36PM (#47216595)

    You're about to install "Angry Birds 7.0". This app wants to...

        1. Do whatever the hell it wants to with your tablet setup, your phone connections, and the Internet
        2. Not tell you about it

    [ ] Yes: I'm bending over right now!
    [ ] No: uninstall Android, brick my tablet, and post all my downloaded porn to Facebook

  • Looks like Google is doubling down on making it harder for you to stay private. Classy move, Google. You make it easier for me to avoid recommending the Play store and Android altogether.

  • by epyT-R (613989) on Wednesday June 11, 2014 @04:13PM (#47216951)

    Applications shouldn't be 'asking' for permission. They should just attempt access. The security configuration for each service or resource should have three settings: reject (with api notification), deny (return success but with bogus/user entered data), or allow (work as intended), for each application. The default should be reject, with a first time startup prompt (from the OS, not the app) when the app starts. This way a user retains his dominion over the device and what it does with network IO. For example, he can use an app that demands access to location information when it doesn't really need to. The user should own the android device and applications, not the other way around.

    Of course this would break the market and surveillance imperatives of google, app developers, and the state. Fuck them.

  • Google must know by now how bad a light its broken permission system is putting on Android. I can't run half the android apps I want to run on any of my Android devices any more because of the permissions they want. And a lot of the ones that I intentionally do not upgrade no longer work. It's making my three android devices useless and almost worthless.

    I'm flabbergasted that there are full-on idiots in the Google command chain who are unwilling to address such a severe and obvious problem. Truly flabb

  • First, and impressive showing at WWDC, and now Google is nerfing their security model to be weaker than iOS's (iOS will notify when a new permission is required as part of an update when the application tries to make use of that permission.)

    I think Windows Phone and iOS are both in a good position to start taking some market share from Google. If Google doesn't have a good Google/IO with Android, they may have officially dropped the ball on Android.

  • and as soon as it's over, on goes Cyanogenmod.
  • by krelvin (771644) on Wednesday June 11, 2014 @04:25PM (#47217041)

    I use Xpivacy which is a module add on to Xposed Framework to control permissions now. Have been using it for sometime. Allows using something like the Facebook app without allowing it all of the permissions it thinks it neededs.

    Not really sure what Google is thinking though. There needs to be more fine control of permissions not less.

  • by losttoy (558557) on Wednesday June 11, 2014 @04:53PM (#47217267)
    Being a Linux geek since '95 (and somewhat of annoyed-by-all-things-apple person), I bought an Android phone ever since they became available commercially. Did that for five years, ran custom roms and put in an Android patch to maintain a permissions firewall. It was one big PITA from a usability point of view. One day, I saw my banking app looking at my call log and that broke the camel's back, for me. I realized Google simply isn't interested in protecting my privacy. The whole you-can-see-what-perms-app-is-asking-for-before-install is a smokescreen. It doesn't scale. Pushing security problems to the user won't work for 99% of the userbase. Hell, it didn't even work reliably for a Linux nerd like me. By contrast, Apple only exposes a handful of data/attributes to ANY app. An iOS app can't look at or even ask look at my SMS, call log and practically most of the stuff - now, that is a sandbox. Also, from a business point of view, Apple makes money by selling me a phone so yes, they have some incentive above that to milk me for analytics but they aren't Google, who don't make much money when I buy an Android phone. For Google, I am the product. So, I switched to iOS (phones and tablets) and actually since then have switched from Gmail to Fastmail, Picasa to SmugMug. With these switches, my privacy is better protected and even usability is better (Picasa, for me, died when Google started shoving G+ Photos down everyone's throats).
    • The tradeoff is flexibility. Android apps can replace the SMS app, camera, launcher, etc. On a desktop system, the ultimate in flexibility, any "app" can look at all the files in your homedir. Privacy and flexibility are opposite design goals unfortunately. Maybe that'll change in the future but right now that's how it is.

  • What is the point of asking a security policy question when the only answer is yes? Why do apps want access to so many different services? The android/apple security permissions frameworks are fundamentally flawed. A polite term might be naive.

    At DeveloperWeek 2014 I went to a talk by a Mozilla developer on the Android security policy framework. He put forward two ideas:
    Fine grain access control.
    Prompt for permission the first time an app accesses a service, not at install time.

    His first observation was that the granularity of the permissions was far to coarse. Access the Internet. Use the phone. Access memory. Why are you forced to allow near complete access to the Internet when a service might only want to write to a specific site? Why read/write entire user memory when it only needs to store a state file or a small collection of cache files. Fine grained access controls are all standard features of the operating systems that underlie Android and Apple smart phones.

    The argument might be made that it would confuse users to be asking for complex permissions. I would say, what's the diff? The user is going to say yes either way. The only other option is to not use the app.

    Fine grained permissions enforced by the OS would limit damage that a rouge app could do by limiting what it could do without popping up an access request.

    The speaker's second idea was that the permissions policy questions should be asked the first time you use a service in an app, not at install time. The first time an app might build a current list of requirements/sites/etc and ask in one question. If an app needs to access something new like a new tracking URL or call a new phone number, a new permission request pops up enforced by the OS. A user who is annoyed by the pop-ups can always click "Don not show this message again".

    The benefits of these two changes is that you do not have blanket permissions granting for apps even for services the user may never use. This would prohibit a virus from starting to use a service that had not been previously accessed. Even a naive users might think twice when his GPS app suddenly wants to reformat the memory card.

    The two prongs of making permissions more granular and not granting them until they are actually accessed by the user would fundamentally improve the smart phone security policy. Both of these should be implemented by the OS so they are automatic, uniform and enforced.

    The argument of its too complex for the user is null because the users it might confuse are going to say yes in any case. They always do. The argument that it is too complex for the developers, my answer is "tough, you're a developer, deal with it".

    I wish I could find a reference to the talk. It was the afternoon of the last day of DeveloperWeek 2014 in San Francisco. The guy was from Mozilla. I recall it being a last minute change because someone canceled.

    Standard arguments about how nothing is perfect and everything can be bypassed apply. The standard reply of something is better than nothing apply as well.

    Brought to you by Captain Obvious

    • by Cytotoxic (245301)

      This sounds very much like the way Microsoft tried to do security in Windows Vista. People did not react well to so many dialog boxes popping up.

      Maybe that is why google decided that most people would rather just not have to deal with permissions in any real and meaningful way.

Serving coffee on aircraft causes turbulence.

Working...