2014-04-22

The permission model in android is totally broken

When installing a new application on a cell phone I typically agree to whatever the stupid app wants. My approach is “just do it and stop asking me questions”. There have been numerous reports about how apps are stealing data. I had to rebuild my phone this week after getting a replacement from Google due to some rather nasty screen issues. I thought I would be a bit more circumspect in installing applications this time. I took a close look at the permissions applications were requesting as I installed them.

It is absolutely amazing the permissions applications are requesting. Of the 10 or 11 clock applications I looked at every last one of them wanted some permission which I deemed unnecessary. Reading caller ids, access to the network, access to contacts, ability to send e-mails without me knowing,”¦ Outrageous! I’m sure an argument could be made for many of these but I cannot imagine how the argument for being able to read my text messagesor read my contacts would go. If you’re not paying for something then you’re the product has never been more true.

Asking to read my text messages? That's a paddlin'Asking to read my text messages? That’s a paddlin’

What’s the solution?

I think it is actually a pretty easy solution: grant permissions in the same way as HTML5 or OpenID. HTML5 will request permission when a page performs some activity such as capturing images from your web camera. If the script isn’t granted permission to access the camera then it should degrade or cancel based on this. Equally when you’re logging into an OpenID site and it requests additional fields from the login provider then you can click cancel and the application should accept this and compensate.

Sorry, you need what permissions?Sorry, you need what permissions?

As it stands I either accept that my alarm clock needs to read my text messagesor I don’t install it. Usually I just don’t install it. If I were able to pick and chose the permissions the application could have then it could degrade and still give me some functionality. Developers would have a much harder time sneaking malware onto phones if this could be done. As an added bonus I would like to see developers have to enter a reason why each permission was needed and have that show up during the install.

The correct set of permissions for an alarm clockThe correct set of permissions for an alarm clock

I can’t believe that Google is just letting this stuff go. Say what you will for Apple but they’re pretty willing to crack down on stuff like this.


comment: