A huge problem with Android apps is the 'take it or leave it' approach to permissions. You either accept what the dev claims his app needs to run, or don't install it. Where's the third approach, which would be to install it but replace dodgy sounding permissions with stub implementations? No, your game doesn't need access to my phone book or the internet, so if it tries, it gets an empty phone book and I appear permanently offline...
On the heels of last week’s controversy regarding the photo-slurping habits of iPhones come reports that Android can play similar games with privacy. Following the template it used to demonstrate the iOS vulnerability, the New York Times commissioned an Android app developer, Ralph Gootee of Loupe, to put together a demo app …
This post has been deleted by its author
This post has been deleted by its author
Sunday 4th March 2012 23:42 GMT Chet Mannly
A third option is to install LBE Privacy guard (and there's probably a few similar apps I don't know about, just found one that worked and have stuck with it) which allows you to block these permissions for each app and each permission (eg access phone book, contacts, internet, location, phone ID etc).
If you deny a genuinely needed permission the app obviously wont work properly, but at least you have more control than the blanket permissions a lot of apps request.
In terms of the out of the box Android experience I guess its good to be informed, but would be better to have control without having to use third party apps...
Monday 5th March 2012 03:40 GMT Yet Another Anonymous coward
Monday 5th March 2012 11:34 GMT countd
Re: option c)
Cyanogenmod allows you to dig into an app's permissions and deny / allow as you see fit before you run the app for the first time. This does have the occasional side effect of an apps crashing, but in a recent case I had of a note taking app wanting contact and network permissions and falling over when denied such, it was warning enough for me to nuke the damned thing and look elsewhere.
Monday 5th March 2012 15:41 GMT BillG
A better option is to install DroidWall. It's a free firewall that let's you block apps from accessing the internet. About half my apps are blocked, including cameras, games, books, barcode scanner, calender storage, contacts, and video players. Also blocks ads on those apps.
I feel safer, my phone runs faster and gets better battery life.
Monday 5th March 2012 16:10 GMT Gordon Fecyk
At least until the 'evil app' learns how to access Droidwall
"A better option is to install DroidWall. It's a free firewall that let's you block apps from accessing the internet."
If an app has 'full permissions' it will only be a mater of time before apps have enough code to look for and disable these things.
Monday 5th March 2012 18:33 GMT joe.user
Monday 5th March 2012 07:23 GMT LarsG
downloading apps that need apparent permissions that have no relevance to what the app is all about.
Now I have no apps!
This I think will remain a problem until we have the choice on permissions on the download page.
Each app should come with a 'tick' the box for what you will allow and this should have no effect on the app.
Monday 5th March 2012 07:27 GMT Anonymous Coward
Monday 5th March 2012 08:09 GMT Alan W. Rateliff, II
Re: I STOPPED....
Sadly, I highly doubt this will happen. Especially if it means that the user won't be able to run their favorite app, or an app which everyone else is running. I can already hear the screams about not being able to play "Angry Birds" (not implicating Rovio, here, just that I honestly don't know any other games on the platform) JUST because it can snarf their pics.
Those screams would sound like customers who call me because their favorite website has been exploited and Google, Firefox, or their anti-virus is preventing them from visiting. But they REALLY REALLY REALLY need to get to the website, so can't we just drop those protections long enough to get some work done?
I've had to liken it to sexually transmitted diseases and unprotected sex before to get the point across. Even then, I'm not certain the conversation had lasting effect.
Paris, no conversation has a lasting effect.
Monday 5th March 2012 11:47 GMT M Gale
Probably for adverts.
So here's a suggestion: PERMISSION::ADVERTS, PERMISSION::ADVERTS_GPSLOC, PERMISSION::ADVERTS_TOWERLOC, plus any others that are specifically related to the advertising framework you're using.
Now offer users a central control panel with checkboxes that say "Yes, adverts can know my location", "Yes, adverts can read my contacts", and any other permissions that Adwords and other approved advertising companies might use. I say this because "approved advertising companies" is better than "whatever advertising companies the local monopolies commission says you HAVE to work with".
Make sure the user can always turn all checkboxes off. Doesn't stop an advert-funded app displaying adverts, just that they would be more like billboards and less like a personalised sales pitch.
Does anybody remember the utter stink that Go!Zilla and Aureate kicked up? It wasn't just because of the ad banner.
Monday 5th March 2012 20:45 GMT JohnG
"Where's the third approach, which would be to install it but replace dodgy sounding permissions with stub implementations?"
Yeah, agreed but it ain't gonna happen. It would be like turkeys voting for Christmas - the people offering the "free" apps are making their money by pimping users' data to marketing companies - and Google aren't going to help as it was their idea in the first place. There are 3rd party solutions though.
Wednesday 7th March 2012 21:51 GMT Flendon
You can do that if you have root
The app Pdroid can block a number of permissions in that way, but requires Root.
I combine that with Avast AV which contains an application firewall, also requires root. It allows Deny All, Permit by Exception. If it is a game or something that has no need to access the internet it is blocked automaticlly, unless I specifically add it to the allowed list. If it needs internet to work I use Pdroid, so for example, facebook is feed a random Device ID, phone number, SIM serial, Subscriber ID, GPS and Network location, while incoming number (why the hell do they need this?), call log, SMS, MMS, Sim Info, and network info are blocked completely.
I know some friends who would really love these capabilites, but are nervous about rooting their phone. It would be great if this was allowed for everyone.
Sunday 4th March 2012 23:25 GMT Jolyon Smith
I don't see any difficulty in NOT conflating "Internet Access" with "Access to <insert LOCAL data of choice>".
One is accessing data over a network the other is... n't.
The trouble is, I can't seem to find any Android manifest permission relating to local data other than the specific CALENDER, CONTACTS and FRAME_BUFFER data (the closest I found to any camera content I guess).
I'm not sure (but don't know for sure) that there is ANY protection for camera files or any other local data. Looking at the available permissions on Android, it looks like the real problem is that if you give an app INTERNET access then you open a big fat pipe down which it can SEND local data that it already has access to.
Paris, cos she likes big, fat pipes. Allegedly.
Sunday 4th March 2012 23:50 GMT Anonymous Coward
Not sure why half my Android tablet apps need half the permissions they do. Sure you can have access to my phonebook, I'm using a tablet so I don't have one!
So if I don't have one, why does it need it? The app still works. Most odd. Likewise with some of the other permissions? Over-caution from Google or data mining?
Still at least it asks. God knows what is happening on my iPhone where I do have a phonebook, etc.
Monday 5th March 2012 01:01 GMT scarshapedstar
Like I said in another thread: share buttons. You wanna tell your friends about the app? Well, it needs to know who your friends are. And how do you wanna tell them?
SMS? That's a permission.
Facebook? That's a permission.
Email? That's a permission.
Seriously, The Moron Test is not rifling through your text messages. It just needs to be able to send one.
Monday 5th March 2012 00:58 GMT scarshapedstar
Basically the whole file system is open - just like on your (non-Linux) desktop.
There are a number of solutions. One, your photo app could encrypt your photos so that no other app could read them. This would get the job done, but you'd be unable to view them in the built-in Gallery or do anything else with them outside the photo app - the classic walled garden approach. Trivially easy to implement, but also crappy.
Rumor has it that future versions of Android will allow apps to limit outside access to their home folders.
This post has been deleted by its author
Monday 5th March 2012 02:57 GMT Anonymous Coward
Curious to see what Google does about this, if anything.
The modify/delete permission was introduced in Android 1.6 - before it apps could write or delete without stating anything. However introducing that also meant that all apps designed to prior versions of the Android API get the modify/delete SD permission implicitly, regardless of actual use.
If they did the same again, all existing apps would shown an implicit read SD card permission, even if they don't use the SD card. This would be highly counter-productive and confuse users to no end, so I suppose they'll have to think of something else other than just adding another permission.
Monday 5th March 2012 13:57 GMT Ilgaz
Issue is deeper and WONTFIX
Issue is choice of the file system, Microsoft fat which Ms themselves bypassed on first opportunity (win phone)
It has no clue about owners, it is designed for dos.
Sorry for stating these basic facts to you, it is in fact for couple of idiots who claims people who will plug the card to computer and manually manage files can't install a ext reader to windows.
Billions of dollars at risk, people lose personal, impossible to reproduce photos are disappearing because it has no journal and now, all personal data at risk. Every time someone mentions these basic facts, someone pops up and talk about that imaginary guy who plugs the sd to computer and hasn't installed some suite.
I can't even believe the fact that even if you manually go with ext3/2 and kernel has support, your device won't mount it. Yes, tried and I am not hacking the /etc just because some Microsoft Trojan made its way to stupid google, unnoticed.
Monday 5th March 2012 04:28 GMT James O'Brien
Monday 5th March 2012 07:43 GMT Dave Fox
So the NYT's "commissioned" an app developer to put together something incredibly trivial because it's a known fact (and presumably a design decision) that the "user data" (let's call it external SD, because it differs from /data/data, which is some what protected) is accessible to any app. This is newsworthy?
How else are apps like Photoshop, Facebook, Twitter, Dropbox, etc going to gain access to your photos for retouching/uploading? Yes, you could have them encrypted on external SD with an API and explicit permission set for accessing them, but then you wouldn't be able to access them when you connect your phone via USB mass storage, which would be an incredible inconvenience.
I have several different video and/or music players on my Android devices, and they can all access my stored videos/MP3s, which is what I want to be able to do. On my wife's iPad, I accidentally loaded some non-video files into the walled garden of her CinePlayerX app, which I'm now completely unable to delete because they don't appear in the file list of the app.
Sometimes we have to balance the needs of security with convenience, just as we do in real life. I'm not going to be taking naked pictures of myself, or copies of state secrets on my phone, so if they somehow end up on a public website, I don't particularly care.
If I were to do something that required more security, I would be taking the appropriate steps to safeguard my data.
Monday 5th March 2012 08:44 GMT Anonymous Coward
Matter of trust
So we've established that both Android and the iPhone suffer from unprotected parts of the file system that allows unscrupulous apps to access photos and probably other media. There is no difference between this and my desktop and to deny all access would completely limit anything any app could do.
Anyway, the issue is trust, 1) you have to trust the author not to have written a backdoor and 2) Starting with Google, and ending up with the law authorities, the author of such software would be done over, dragged through thorn bushes and prosecuted to the full extent of the law for EVERY person effected.
Unfortunately, having an app store gives the impression of increased security for both platforms yet its simply not the case. (Yes, even Apple let some slip through despite the rigorous approval procedures in their walled garden)
Monday 5th March 2012 09:05 GMT Lamb0
If Android is going to function as a proper OS it needs to act like one! I like the way MEPIS groups permissions and restricts user access as needed (or desired - sometimes with a little fiddling). Permissions Functionality should be a simple, yet easy to use tool integrated into the OS - settable by the OWNERS, not Google, or the phone company; and all apps should delineate why specific permissions are required for what features.
Many features I'd leaved enabled, others would have certain permissions enabled only as needed, and a few would be routinely blocked, disabled, and not show on-screen (such as Facebook) - until I desire otherwise!
Monday 5th March 2012 09:49 GMT Anonymous Coward
"If Android is going to function as a proper OS it needs to act like one"
It does act like an OS, it operates the hardware on behalf of application programs. I an application wants access to a resource, it gets it via the O/S.
Android is more secure than most desktop operating systems because it requires an application progam to be given permissions to user data; when was the last time you installed a Windows or Mac OS program and had it tell you that it required internet access and access to specific user data? Pretty much every desktop O/S application program has access to read from, and in most cases write to, files created by other applications - the security normally just get's enforced at the User level so all my programs can see all my data (but not anyone else's).
Monday 5th March 2012 12:01 GMT M Gale
I'll upvote you just for being pedantic...
...and raise you a "Android isn't even the OS, that's Linux. Android is a whacking great stack of software running on Linux, the visible part you see of which is the Dalvik virtual machine and whatever launcher is running."
But yes, the permissions model does need a bit of a remodel.
Monday 5th March 2012 12:44 GMT Anonymous Coward
As mentioned earlier, often the permissions are needed for something you may not consider. A bit like the furor over granting Facebook, Google etc the right to display your photos. How else are they meant to show your friends said photos that YOU are sharing?
Obviously with a dodgy developer there could be a problem.
On the other hand, how many apps that people install really are quite trivial to go and create yourself? A huge percentage, I'd say. In fact, several times when I've thought an app needs ridiculous permissions I've written something myself - and that's coming from no previous developing background. Probably the thing I like most about my androids actually, I'm quite enjoying coding and I'd probably never have tried it.
Monday 5th March 2012 14:32 GMT Leona A
Talking of Photo Slurping without consent, anyone using Google+ app on their Android might like to know it automatically uploads photos to a 'private' album on your profile for you, hum, I don't ever remember agreeing to that! Go through the options list and you can turn it off, but you can't remove the photos from Google+ how helpful, sure people will love looking at photos of my lounge and garden!
Monday 5th March 2012 15:44 GMT Anonymous Coward
Monday 5th March 2012 19:37 GMT Shades
Monday 5th March 2012 19:40 GMT Anonymous Coward
I would have thought it was fairly obvious I meant solely within the group who have the app, since everybody else I know would be pretty bloody irrelevent to the comment, no?
Besides which, what does it matter how many people I know? The fact it's the first option you get when running the app would still be valid if I knew one person or a million.
Monday 5th March 2012 19:01 GMT dssf
I still prefer the idea of at least having the OPTION to use a vault.
As for "apps breaking", the phone being queried, when seeing a URL probing for an image, would just serve up a red circle "X". A challenge-reply would enable the user to decide whether and to whom the photo or file will be "released".
It isn't hard, and yes, there will be users who'll screw up the concept and create a lot of tech support headache. But, that is not a valid excuse for not providing a facility for the demanding savvy to use/exploit to the hilt.
Imagine if military officials felt that way about secrets, "oh, it's cumbersome, so just let EVERYone access whatever files we have, shared or not...".
Monday 5th March 2012 23:21 GMT Charles 9
IIRC, military types end-run around the problem by simply not using it. Military communications tend to use their own proprietary devices.
But back to the civilian world, you have a classic power struggle here. Both users and developers want control over the phone, and Google's caught in the middle. If they favor the users too much, devs won't feel comfortable and will probably defect to Apple, who already has an established base that could convince devs to take the plunge...if Google didn't slant things back in their favor. So basically, if you want their app, you have to play by their rules or they won't provide. It's like an auto garage. If you want them to handle your car, you have to agree to their terms, even though it's your car.