Google Cuts Android Privacy Feature, Says Release Was Unintentional

An anonymous reader writes "Peter Eckersley at the EFF reports that the 'App Ops' privacy feature added to Android in 4.3 has been removed as of 4.4.2. The feature allowed users to easily manage the permission settings for installed apps. Thus, users could enjoy the features of whatever app they liked, while preventing the app from, for example, reporting location data. Eckersley writes, 'When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it. We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it.1 The disappearance of App Ops is alarming news for Android users. The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.'"

Ups and Downs

[Akratist]

One of Android's selling points has always been it's open nature, and the fact that it's not as locked down as iOS. This seems like it's taking a step in the direction of locking down the OS for the user, and unlocking it for everyone else...

Re:Ups and Downs

[Rosco+P.+Coltrane]

Well it's Google, what do you expect...

If you think Google works for the good of the user, think again.

Re:Ups and Downs

[Chris+Mattern]

If you think Google works for the good of the user, think again.

Only Tron fights for the user.

Re:Ups and Downs

[erikkemperman]

The open nature is also being drastically eroded by moving more and more stuff into the Google Play Services. So while the platform is still technically open source, all the interesting things are moved into a separate, closed, layer.

Slowly but surely, android is closing up.

Re:Ups and Downs

[LordLimecat]

It bugs me to see the crap google gets when they are the least abusive of all big companies by just about any measure, and actually HAVE fought for the user on several occasions (China, warrantless data requests, posting takedowns to Chilling Effects / working with the EFF).

I mean I guess you can cross your fingers and hope that companies like Yahoo and MS dont do things like spill the beans on Chinese dissident bloggers or work with the Chinese gov't to create a bugged version of Skype for China, but I wouldnt hold your breath.

I guess why it irritates me so much is that Google really does seem to try to be the good guy, and they get crap for it because people seem to want to forget what their business model is and give them a hard time for being for-profit. Maybe we should boycott them, THAT will teach them to fight extrajudicial data requests!

Re:Ups and Downs

That is very true; much of it is moving to closed source. Unfortunately we can't have nice things. We can't have nice things because of Tivoisation ( http://en.wikipedia.org/wiki/Tivoisation ). We can't have nice things because of Samsung trying to "demote" the Google apps in favor of their crapware. We can't have nice things because of hardware vendors and carriers who won't update their devices (forcing Google to move stuff from core into apps that can be updated without intervention). There are a lot of things driving Google into close-sourcing more of the interesting bits of Android. None of those are "because they want to" or "because they are evil". They are, instead, being forced into it due to the evil of others.

Re:Ups and Downs

[Mordok-DestroyerOfWo]

Zathras used to being beast of burden. Zathras have sad life, probably have sad death, but at least there is symmetry

Re:Ups and Downs

[oogoliegoogolie]

Oh jeez, you really need to stop looking at Google through your Android-colored glasses!
Google was a cool tech company a decade ago when they came up with products that benefited the users, namely an email product that offered 1GB of space free when others gave you 20MB, and of course search. Since then they've morphed from a tech to an advertising and data-mining company, and all of their products reflect this.
Google:"Do you want to sign up for G+" or "Do you want to use your real name on Youtube?"
User:clicks NO
Google:"OK, we'll ask you later"

Do No Evil hasn't existed at Google for a decade, if it ever did.

Re:Ups and Downs

[RedBear]

It bugs me to see the crap google gets when they are the least abusive of all big companies by just about any measure, and actually HAVE fought for the user on several occasions (China, warrantless data requests, posting takedowns to Chilling Effects / working with the EFF).

I mean I guess you can cross your fingers and hope that companies like Yahoo and MS dont do things like spill the beans on Chinese dissident bloggers or work with the Chinese gov't to create a bugged version of Skype for China, but I wouldnt hold your breath.

I guess why it irritates me so much is that Google really does seem to try to be the good guy, and they get crap for it because people seem to want to forget what their business model is and give them a hard time for being for-profit. Maybe we should boycott them, THAT will teach them to fight extrajudicial data requests!

I imagine the baitfish has a similar mental state at any point in time prior to being eaten by an anglerfish.

Any perceived benevolence, animosity or innocuousness in a completely amoral organism like a corporation is an illusion. For your own safety you should learn to pierce that illusion. There is no reason to "feel bad" for a steamroller when its operator is being reprimanded for running over a dog. The fact that the steamroller was, up until that moment, being used to help create a road system that you will personally benefit from does not negate nor excuse the canine compression incident. It is the dog and/or the machine operator that you should have an emotional interaction with. Not the machine.

Google is neither friend nor foe overall, and is quite capable of being commanded by its human operators to perform both highly benevolent and highly antagonistic activities simultaneously at any given point in space and time. Also, its past behavior has little bearing on its present or future behavior. Your entire argument is therefore pointless.

Re:Ups and Downs

[ugglybabee]

Nope. It's simple. Doesn't matter who you are, how evil or how good. You kill privacy, you get criticized for it, duh.

Re:Ups and Downs

[mounthood]

It bugs me to see the crap google gets when they are the least abusive of all big companies by just about any measure ....

They deserve to get crap for *this* and any other positive actions aren't a get-out-of-jail-free card. Until a few years ago the slashdot faq contained this:

I thought everyone on Slashdot hated the RIAA, the MPAA, and Microsoft. Why do you keep hyping CDs, movies, and Windows games?

Big corporations are what they are. They sell us cool stuff with one hand and tighten the screws on our freedoms with the other. We hate them every morning and love them every afternoon, and vice versa. This is part of living in the modern world: you take your yin with your yang and try to figure out how to do what's right the best you can. If you think it has to be all one way or the other, that's cool, share your opinions, but don't expect everyone else to think the same.

Re:Ups and Downs

[ImprovOmega]

As long as you can side load apps and the APIs are free for developers it will still be light-years more open than Apple ever allows you to be. Heck, you can't even write an iPhone app unless you're doing it on a Mac with a sanctioned Apple developer license.

Re:Ups and Downs

[LordLimecat]

Oh jeez, you really need to stop looking at Google through your Android-colored glasses!

Wonderful ad hominem, but I dont actually have an android.

I also like how you completely didnt address any of my points. Yes, a lot of the stuff Google does with youtube is incredibly obnoxious, as is their insistence on making Google+ work despite the fact that noone really cares. None of that really has anything to do with their corporate stewardship or ethics.

Calling them "evil" for their youtube commenting policies just shows that you really dont understand what "evil" is referring to. For some people, Google's privacy policy is a lot more vital to their well-being than whether you are forced to use Google+ for youtube comments, and those people are probably really glad that Google actually honors its policies and resists overreach by law enforcement of various countries.

Re:Ups and Downs

[LordLimecat]

They voluntarily shared user data in China and Russia.

Wrong, try again. They were threatening to leave China for a while about 7 years ago because China was pressing hard for them to spill the beans on what kinds of searches folks were doing, and Google didnt want to play that game. Of course as I linked Yahoo and MS were all too happy to comply, Im not really clear how that makes them better in your book.

More recently (less than a year ago?) Google started alerting users when Chinas GFW was tampering with their connections in response to "forbidden" queries, which led to a sort of arms race between the two of them.

They cooperate with the NSA ALL of the time

Source? Because the Snowden leaks indicate that the snooping was done without Google's knowledge, and was done to basically all major internet companies.

They data mine their clients (you and I) and they have removed most means to restrict access to personal info.

Bull.
1) Android lets you use third party marketplaces to install whatever you want; as does Chrome; as does Google apps. The first two let you set up whatever privacy features you want.
2) Chrome since beta has allowed you to turn off all tracking
3) they track basically the same info as every major search provider in the last 10 years. Theyre probably better at it, but hey: they do let you opt out, and they DO fight requests from the authorities to hand that info over.

Do you work for Google?

No, Im an IT consultant / contractor. I dont really have a particular vested interest in Google, except that they seem to actually care about building good products and employing actual functional security. I do have a number of acquaintances in China who are directly affected by the shenanigans of the other companies I mentioned, so perhaps Im biased in that manner.

You have a lot of questions, I have one for you: who are you supposing is among the best, if Google is among the worst?

Put in an app

I thought I read that they just pulled it out and into its own app, so that you'd have to seek out this feature. They wanted to keep folks who didn't know exactly what they were doing to stumble upon this and mess up their phones.

Re:Put in an app

[the_B0fh]

https://news.ycombinator.com/item?id=6900762

If that is true, it means Google actually yanked the calls, instead of just hiding them.

Re:Put in an app

[squiggleslash]

Not even that really. You ALWAYS needed third party apps to bring up the screen.

Here's the deal. This was never an end user feature. It was a screen that required additional software to actually bring up. It wasn't documented. I'm not even sure how anyone found out about it - my guess is someone trawling through the source code. Google's assertion that this wasn't meant to ever be released appears to be completely genuine and the apparent insinuation by the summary that Google isn't telling the truth is absurd and unfounded.

This is not to argue that the feature wouldn't be welcome. But as someone who used the equivalent functionality in CyanogenMod for a while, I can confirm that turning off permissions dynamically in this way requires quite a bit more care than it might appear at first - apps did crash when apparently denied features quite reasonably, even when you might think they'd have to cater for that situation anyway. I'd deny network privileges to an app, and see it crash, even though it would work without problems when the privilege was given but the network was unavailable for technical reasons.

Unfortunately, because Google has (objectively) gone to shit lately, and because they've lost some goodwill in their recent move towards closing much of Android ecosystem, combined with Facebook and Apple's paid anti-Google shilling campaign, this story is being presented as yet more evidence that Google is doing something wrong.

They're not. They've removed an undocumented part of the operating system that required third party software to access in the first place, that attempted to do something that requires thought, care, and planning. Good. Now, le'ts hope they finish what they started, and release a working version.

Re:Put in an app

[triffid_98]

as someone who used the equivalent functionality in CyanogenMod for a while, I can confirm that turning off permissions dynamically in this way requires quite a bit more care than it might appear at first - apps did crash when apparently denied features quite reasonably, even when you might think they'd have to cater for that situation anyway. I'd deny network privileges to an app, and see it crash, even though it would work without problems when the privilege was given but the network was unavailable for technical reasons.

Speaking as a fellow Cyanogenmod user...

CASE #1

Some apps will crash if they can't read your phone contacts (or whatever absurd permission they asked for) and report them to their remote server...and I'm totally fine with that. They said right out they needed X permission and I said no you can't. CASE #2

A lot of applications (I've no idea what percentage though) ask for permissions that they don't need, presumably on the basis that they might need them in the future and don't want automatic updates to stop (which they will if they suddenly want new permissions) CASE #3

see CASE #1, except the developers used this super secret coding technique called try{}catch, and the application still works fine.

PDroid

[JeffOwl]

Gives granular control of app permissions. Requires Root, but it's worth it. I figured this change was never going to be permanent because it messes with Google's (and app developers') revenue stream.

Re:PDroid

[Kazymyr]

There are many apps that do that. I have been using "Permissions Free" for a couple of years now. I guess the news is that Google released similar functionality as a built-in, then removed it. Sounds nasty.

Re:PDroid

[gstoddart]

And just how easy is it to root the device? Every time I've looked at it, it seems like it's a lot of hoops to jump through, and with some concerns about still having a working device.

Why Android can't just give me root by default, I don't understand. It's MY device, why can't I be the one who decides if I can have root?

Re:PDroid

[drinkypoo]

Why Android can't just give me root by default, I don't understand. It's MY device, why can't I be the one who decides if I can have root?

There are security implications for both unlocking and rooting. It's best that they default off.

Re:PDroid

[Razalhague]

I guess the news is that Google released similar functionality as a built-in, then removed it. Sounds nasty.

They didn't release it, per se. The code was there, but it was only accessible with third party tools. Not saying disabling access to it was the right choice, but it isn't as nasty as it sounds.

Re:PDroid

[DrXym]

I doubt Google cares that some app is too buggy to function without a particular permission. Their general approach is to let the cream float to the top.

Most apps already have to cope with features that are missing. e.g. an app might want to read SMS or make calls, but neither facility is available on most tablets. Or they might ask for GPS coords and again they simply can't have it. If they can't cope with the variety out there already then I don't see much difference if the user has an explicit switch to disable that functionality.

That said, the current situation is completely unacceptable. The upfront permissions are getting worse and worse for some apps and often for completely esoteric reasons. Twitter recently updated their app to ask my location. Fortunately there is a switch in their app to turn this off, but really I shouldn't have to count on their charity - I should be able to turn that setting off whether they want me to or not.

Sounds like it worked

[Carrot007]

> it could break some of the apps policed by it.

Is that not the entire point?

Re:Sounds like it worked

[mlw4428]

Not necessarily. A poorly coded app that needs to use the GPS and crashes if you deny the permission is different than a well coded app that doesn't crash when you try to use the GPS and continues running. Google is most likely saying that they haven't figured out a GOOD way to prevent apps from just exploding when a permission that they expect to have is denied. Personally it doesn't make much sense for an end-user to retroactively deny permissions. You should review them up front and say up front...if my app requires specific GPS coordinates to work and you randomly decide to stop giving me permissions then there's a chance you'll get all pissy because the app stops working as intended. If I tell you my app needs X permissions then I should get X permissions or you shouldn't install my app. There's a reason I asked for them (regardless of legitimate or illegitimate reasons -- install apps from those you trust).

Re:Sounds like it worked

[Kazymyr]

Doesn't work when you're talking built-in, as in manufacturer-made ones that are part of the ROM. Or, in some cases, Google apps. :)

Re:Sounds like it worked

[StripedCow]

Imagine an app that does:

try
{
    fileSystem.read("/path/to/file");
}
catch(error)
{
    launchMissiles()
}

What if you suddenly take the filesystem permissions away after allowing the app to be installed?!?

Re:Sounds like it worked

[gstoddart]

You can easily disable those apps.

Not all of them.

For some of the Google apps, I've had to uninstall updates to get them rolled back to an older version that I could disable. On many apps, there's simply no option to disable them.

In many cases, the update marks the app as something you can't disable.

I would dearly LOVE something which allows me to set more granular permissions on apps. I just tried "Permission Manager", and it essentially just crashes. In the mean time, I mostly run my Android devices with wifi off, and with no data plan so there's no way for them to reach the network.

Re:Sounds like it worked

[jonnythan]

In the app properties page for pre-installed apps, the "disable" button is replaced when the app is updated with an "uninstall updates" button. After you hit "uninstall updates" you can hit "disable."

The only apps you can't disable are actual system apps. Things like Google Services Framework, Google Account Manager, Google partner Setup, etc, can all be disabled.

Re:Sounds like it worked

[MozeeToby]

Yes, you can but then again, no you can't. They're such a convoluted mess of dependencies that you can never tell what disabling one of them might do to the rest of your phone. Others cannot be disabled through the application manager and even worse, some of them you cannot turn off notifications for. Not to mention that many calls are hardcoded to bring up those apps (holding the menu button on the latest Samsung phones is hard coded to bring up "S-Finder" for instance). I love Android, but you can't just wave away valid criticism with a poor work around.

Re:Sounds like it worked

[Nerdfest]

Did you used to work i the software security division of Adobe?

Re:Sounds like it worked

[Artraze]

> Google is most likely saying that they haven't figured out a GOOD way to prevent apps from just exploding when a permission that they expect to have is denied.

That is (or at least was) their excuse with regards to not allowing permission controls. However it was bullshit then and it's even more bullshit now. Not all phones/tablet have GPS and even if they do it can be off. SD cards be be ejected (time was when that was the only bulk storage), tablets don't have phone modules, etc. There are probably a very small number of things guaranteed to be available, your contacts being maybe the only one. I'd hazard that the danger for the model as they had it was that an app might write something to the fake dataset and expect it to be there on the next read. Solvable as this all is, but they aren't trying.

Anyways, it was poorly conceived and poorly implemented and I don't mind it being gone. It ignored app permissions so that it would be active even for apps that requested nothing and made it difficult to identify apps that were actually problematic. More frustrating, it was targeted only at privacy and not security, which I'd think was just as much a concern.

> Personally it doesn't make much sense for an end-user to retroactively deny permissions.

You're assuming a perfect free market where there are infinite apps and you can find one that does exactly what you need and doesn't require any excess permissions. In reality, however, there aren't that many options. Sometimes there's only one: social games, bank, etc and that app requires more permissions than you want to give. Certainly you can go without, but why am I forced to let your app do whatever it wants on my device? Yeah, it's your copyrighted app, but it's not like I'm agreeing to install a GPS in my tablet, turn it on and ensure I have signal. So why can't I simply deny access to the GPS?

Honestly, the ability to revoke permissions would be great for developers too. There is (was?) a unit conversion app out there with two versions. One had currency conversion and needed an internet connection to determine the current rate. The other lacked the currency conversion and the internet permission. If users could revoke permissions or developers could set them as optional it would have made the second version unnecessary. A great deal of apps suffer the same issue. Most permissions are intended to be little niceties: a store wants GPS to find the nearest but could use zip code, an app wants contacts to auto complete but could just fire up the builtin contacts app. So on and so forth. Forcing permissions to be all or nothing forces develops to choose between adding features and appearing like a front for the NSA.

Re:Sounds like it worked

[mrchaotica]

Have you ever used the feature being discussed? It not only provides a list of what permissions the apps want (and switches to turn them on and off), it also tells you how long ago the app actually tried to use the permission. For example, on my Nexus 5, Chrome last used my location December 6, read the clipboard 5 days ago, and has never tried to use the camera or record audio. What this means is that these features are optional, and it's perfectly reasonable to disallow them and continue using the app without it even noticing they're missing.

Now, there's an even more important use case: I don't have a whole lot of apps that require permissions for user-hostile reasons (because I avoid installing them in the first place), but there are a few. Fruit Ninja, for instance, wants access to the user's location for no good reason other than evil tracking & advertising purposes. Just now I tested it to see what would happen if I turned off that permission. Guess what? The game still played perfectly fine. There was absolutely no downside for me, the user, in turning the tracking off. Contrary to your assertion, I expect this is what will actually happen in the vast majority of cases (until developers start purposefully sabotaging their apps when the misfeatures fail to work).

Re:Sounds like it worked

[mrchaotica]

Because that's like expecting Windows...

Funny you mention Windows, because that is kind of what it's like. If you're developing a Windows application you have to accept the possibility that -- for example -- the user might firewall your program (so making it add-supported won't necessarily work) and that there's not a damn thing you can do about it.

I should have certain hardware and permissions to the OS. If you feel you can't trust my application then don't install it.

You're one of those dumbass programmers who designs Windows applications that require Administrator access to run, aren't you?

It becomes a support nightmare and a functionality nightmare and a programming nightmare to try and code around every single user's specific desires as to what hardware/permissions I should access.

If accepting the inevitable reality that the user is going to decide what happens on his own device is a nightmare for you as a developer, then go find some other line of work. The world will be better off without your malware.

Re:Sounds like it worked

[mrchaotica]

You're talking about the situation where an app legitimately requires a permission (e.g. a text messaging app requiring text messaging permission). I'm talking about the situation where an app illegitimately "requires" a permission (e.g. a live wallpaper app requiring text messaging permission). "If you don't want to grant the privileges that the app says it needs, then don't install the app" does not work because Stupid End User thinks "ZOMG PRETTY PICTURES! ...PERMISSIONS? LOL WUT?" and installs the damn thing anyway.

Given that the vast majority of Android apps illegitimately require permissions, this kind of permissions management is absolutely necessary to protect SEU from himself (at least SEU's less-stupid friend can disable the permissions for him, instead of trying to explain why he ought to quit using his favorite spyware-infested live wallpaper). If that harms the developers of the spyware-infested apps, the too fucking bad for them, they deserve it.

The fundamental thing here is that the needs of SEU outweigh the needs of the developer, period.

Just plain wrong.

It always irked me when you install an Android app it often produces a big long list of the things the app can access, some of which you don't want it to, but you can't pick'n'choose the access permissions, it''s all or nothing.

That's just plain wrong.

And for Google to release an app which can allow you to set the access permissions of apps, and then withdraw it is even wronger (yes I know that's not a real word), even if changing some of the access permissions breaks the app there's the issue that many apps don't actually need to access everything on your Android device to run.

Re:Just plain wrong.

[Andy+Dodd]

Google never released an app. They accidentally left code enabled deep in the frameworks for which user-facing control was never exposed except via third-party modifications.

Re:Just plain wrong.

[LDAPMAN]

Not all permissions are essential to the operation of the app. Thats the point of being able to selectively choose. Many IOS apps just disable certain functions or niceties when you deny a permission. They can also pop up a nice dialog when you try to do something requiring that permission and ask if you want to turn it back on. An all-or-nothing approach is just stupid and leads to users just blindly accepting what the app asks for.

Re:Just plain wrong.

[Solandri]

It always irked me when you install an Android app it often produces a big long list of the things the app can access, some of which you don't want it to, but you can't pick'n'choose the access permissions, it''s all or nothing.

That's just plain wrong.

There's nothing at all wrong about that. You are proposing one extreme where the user gets to control everything software can do on his phone. Apple does the other extreme where the developer controls everything and Apple provides oversight.

Google is trying their best to split the difference. A developer creates an app and distributes it on his terms. e.g. He might give it away for free but have it play ads to generate some revenue for him. You have no right to take his copyrighted app and use it in violation of the terms he's released it under. This is the fundamental tenet which makes Open Source work - most of their licenses require you to share any code modifications you make as the price you pay to use the software. It is wrong to take someone else's work and use it in violation of the terms under which they've decided to allow you to use it.

But it is also wrong for the software to purport to do one thing, then secretly do all sorts of things behind the user's back. So Google forces apps to disclose what info and services they will have access to. Google sets up the open, level playing field. The developers provide their apps, Google makes sure the user gets a concise summary of what the app does, and it's up to the user to decide whether or not to use the app.

Speaking both as an Android user and a developer, I think it's about the perfect balance between developers' rights and users' rights. The only flaw I've seen abused is that an app which needs network and account info for one purpose may abuse it for different purposes. e.g. The Amazon app needs network access to contact the Amazon app store, and it needs to verify your account info to enable you to make purchases. But according to my logs their app is trying to ID my phone every time I start any app, like it's trying to track what apps I use and how often.

Re:really ?

[robmv]

It was never a feature, people access it using a third party application that calls an Activity that is not normally accessible from the OS UI. It is like when people found initial semi-working code of multiple user profiles on Android 4.1, again not accessible to the users, and later releases added the feature when the code was completed and tested. I think we will see this feature enabled on later Android versions when they get to finish it and find ways to make old applications not crash when permissions are removed.

a straw

[fche]

I wonder how many more overt measures that can be easily interpreted as pro-surveillance pro-advertising need google take, before the masses turn to alternatives like cyanogenmod etc.

Eagerly awaited

[dargaud]

I've been waiting for this for... forever. But not just [Enable]/[Disable], I also want [Produce random fake data] and [Produce data generated by external app hereby selected]. So that I can write or load an app that feeds intelligent but fake info to the others.

Re:Eagerly awaited

[dido]

If you're rooted, you can install the XPosed Framework and the XPrivacy module for it, which will allow you to lie to an app about the permissions it requests. CyanogenMod 10.1 also has such a feature, although the UI is rather clumsy if you ask me.

Re:Eagerly awaited

[guardian-ct]

Android has had a "set fake location for testing" feature for a long time. Even my mostly locked down Virgin Mobile phone has that allowed.

"Settings -> developer options -> Allow Mock Locations"

If you don't have developer options, you may be able to get them turned on from "Settings -> About Phone" by clicking the Build Number, at least 7 times.

Then install one of several location setting tools from Google Play. Set location wherever you want.

Other permissions are harder to fake, but location results are pretty easy to change.

Is there anyone here

[bravecanadian]

Who is surprised?

That data is Google's entire business.

"it could break some of the apps"

[csumpi]

Especially the ones that slurp user data and send it back to the mothership, then whoever the mothership sells it to. I definitely see why they think it was not a good idea.

Who'll be laughing then ....

[Chrisq]

I grew fed up with android years ago. What kind of calculator app requires weekly updates? Dumbphones FTW

You'll be laughing on the other side of your face if we switch our number system to duodecimal or balanced ternary!

Re: Meh

[david_barreda]

Better battery consumption? Optimization? There are lots of reason to update an application.

Am I the only one who sees this?

[The+MAZZTer]

First of all, there was NO UI to activate this feature. The only access was through third-party apps that allow you to launch arbitrary activities (for those not familiar with Android, think application windows) in other apps.

So it was obviously unsupported by Google. The first thing I think of are Chrome's Labs at chrome://flags which carries this warning:

WARNING These experimental features may change, break, or disappear at any time. We make absolutely no guarantees about what may happen if you turn one of these experiments on, and your browser may even spontaneously combust. Jokes aside, your browser may delete all your data, or your security and privacy could be compromised in unexpected ways. Any experiments you enable will be enabled for all users of this browser. Please proceed with caution. Interested in cool new Chrome features? Try our beta channel at chrome.com/beta.

And THOSE are UI-exposed, unlike App Ops. The same warnings would apply to App Ops, if not worse.

Android permissions were built on the assumption that they were all-or-nothing: either the user would install the app and grant all permissions, or the user would deny the permissions and not install the app. It isn't like webpage permissions where the user may decline to allow a page to display desktop notifications or go fullscreen and the page can react to that.

Because apps expect permissions to always succeed, the common approach to making permission-limiting frameworks is to make the app think it still has permission by serving it dummy data, like an empty contacts list, or a blank image purportedly from the camera, so the app still operates.

Google is saying some apps were not compatible, which tells me App Ops still needs work, which explains why they have not formerly released it.

Some people have been using App Ops and now find the UI crashes when you load it, but the underlying feature is still applying the settings. Considering it was an unsupported and experimental feature this is not surprising, and it is not surprising Google removed access. Back when Google Chrome was brand new, occasionally Google would ship Dev builds that would crash on launch for a not insignificant portion of the user base. Such is the risk of alpha software (or in this case, an alpha feature).

Re:IOS?

[Desler]

Settings -> Cellular and then toggle off the apps you don't want using it. For apps you don't want using your location data, you simply deny them when the app runs the first time. If after the fact you want to deny them this permission you go to Settings -> Privacy -> Location Service and again toggle off the apps you don't want to have that permission. And guess what? None of the apps will crash due to these things being turned off.

The saddest part of your post is you probably thought you were going to completely baffle people with the question when these toggles have been part of iOS for years now (if not since the beginning).

Re: Meh

[Wookact]

There are reasons not to update as well: additional ads, removal of liked features. When I find an app and version I like I make a copy of the apk. Then if there is an update that I don't like I can always go back to the old version. I've had to do this with the local newspapers application as it has become bloated with ads, and crazy permissions.

Great in Theory

[ironicsky]

The app is great in theory, but horrible in implementation. I checked out the App Ops functionality and if you don't know what you are doing you can cripple your phone. The problem is it allows you to change the functionality of system apps and core services by denying them access to the device *oops*.

I definitely think this is a needed feature, but it needs to be implemented at installation of apps from the play store. When an app says "We'll need the following permissions" the user should be able to toggle off each one they dont want the app having access to, then use the traditional permissions manager to modify it in the future.. From the App Ops, I learned that Angry Birds accesses your location when you run it. For what user-supporting function? None... There is no reason why it needs access to my location. My Grocery Store locator? That needs access to my location, but not my contacts.

Re:really ?

[Arker]

The difference is that this is really critical functionality that should have been built in and tested from day one, but gets pushed way down the priority stack because of googles conflict of interest in the matter. So it's like that situation a little, but not really.

Re:really ?

[Bob9113]

I think we will see this feature enabled on later Android versions when they get to finish it and find ways to make old applications not crash when permissions are removed.

It is already known how to enable it without crashing the applications; return fake data. The cause of the app failure is not returning any data. There is a tool for returning fake data, which I think was briefly included in CyanogenMod. It causes apps that rely on the data for their revenue stream to continue operating without getting their payment (clean, marketable data). It was decided that tricking apps into operating was, in one way of thinking, using the software without the informed consent of the programmer -- something akin to misappropration -- and so it was removed.

You may not agree with that perspective, but it is the issue that Google is wrestling with: Should they facilitate the ability to prevent apps from knowing that they are not getting the clean data that they currently take as payment for producing the app?

In my opinion, our current standards for acquiring such data are extremely shady, relying heavily on a consumer base that is deeply misinformed of the extent of the surveillance and the risks the data stores pose. Where the balance of good lies between surveillance and countermeasures is hard to tell; it could be that subverting the datastream is pro-social in the long run -- but that is not the side on which Google's bread is buttered. They have a strong motive to see things from the app developers / watchers / revenue stream point of view. A great deal of money flows to Google from informed, uninformed, and misinformed consent to surveillance.

developer ego

[spaceman375]

By far the most annoying permission is abused by developers on every OS I've tried: Launch at boot. Of Course, YOUR app is so very important that it HAS to use time and resources just so it can be ready at all times. Get over yourselves: I'll launch it when I want it. I'd be WAY happy to just be able to deny that one permission on Android.

Re:really ?

[the_B0fh]

https://news.ycombinator.com/item?id=6900762

This indicates that Google actually pulled code out. They could have just re-hidden it. Instead, it is now completely unavailable.

Why are you making excuses for them?

Re:really ?

The old CyanogenMod that I use on my HTC G2 has permission controls. It works by faking the interface that the permission normally provides. Therefore apps do not crash because they still get permission but it's to fake data.

The only problem with it is that it is very out of date at this point and it does not fake the data for all permissions.

Re:Freedom

[x0ra]

AFAIK, there is no iOS equivalent of CryogenicMod ;-)

Re: Meh

[Black+LED]

That is why I always check the change logs before manually updating any app.

Re:really ?

[geminidomino]

It never made it past testing in CM, but it's available for most Android versions, in some form, since 2.3.6.

Gingerbread had pDroid. Then there's pdroid2.0 and openpdroid, which are separate projects to do much the same thing, and openpdroid works for up to 4.2.2 now, AFAIK.

They're a little tricky to get going, You need to be using a deodexed rom (which pretty much means a non-stock custom) and you need to patch whichever $pdroid into it. Once that's done, it's just a matter of running the pdroid manager app and you're set.

NB: Not affiliated with any of the .*pdroid.* projects, just a (paranoid|spiteful) bastard who refuses to use android without them anymore.

Notifications

[tepples]

Without launching at boot, how would an application designed to connect to an Internet service notify you of things relevant to your account on that service? For example, if an app store doesn't launch at boot, then you won't get notified about security updates to your existing apps until you happen to look for new apps, which might not be for weeks.

Re:catch (SecurityException e)

[0123456]

Even if you could do that, app developers have had half a decade in which they never had any reason to do so.

And that attitude is why Android is becoming the new Windows.

'But, but, we can't add security and privacy features, because they would break SuperWhizzoWriter 1993!'

The summary is utter crap.

[Real1tyCzech]

It wasn't a feature. It wasn't "released". It didn't debut in 4.3.

It was in the code for testing only, and never meant to be used outside of Google.

There is almost nothing about this summary that is correct.

But hey; good fodder for the haters to start crying "Foul!" about an OS they don't use....

Re:The summary is utter crap.

[bankman]

You may be right, but that doesn't diminish the fact that this should have been a feature from the very beginning and that its removal is not a step in the right direction from the user perspective.

Oh, and yes, I don't use this OS (or any other smartphone for that matter) for precisely this reason, I can't properly contain and manage the installed software on a very privacy sensitive device.

Re:really ?

[mrchaotica]

Do you really think everyone that download those applications that enable access to this hidden code know what they are doing? People will download it because they saw it on the media, use it, and go to Google Play and start giving bad reviews for applications that have bad behaviour

In this case, the people who are too stupid to use it are also too stupid to know or care why they'd even want to in the first place. It's not as if this is a game or something; it's a settings menu. Nobody's installing it for fun.

what will happen if the access to the IMEI number is hidden giving fake numbers and for some reason a crap application used that to identify the user and for some reason privacy is broken, accessing data of other users?

You answered yourself. They key words were "crap application."

Also, I wish IMEI access was a disable-able permission. Either it isn't, or it's a permission that absolutely nothing on my phone has tried to request.

The bottom line is scenarios like you described, where restricting an app's permission could ever cause a worse problem, tend not to be plausible.

I remember they advised the Cyanogenmod team to not enable multi window feature for all applications because not all of them work without problems with dynamic screen sizes and they didn't want to alienate developers on Google Play with bad reviews for something that doesn't follow the Android APIs. There is a reason Samsung multi window feature only works with some applications and not all of them

I've never used either Cyanogenmod or Samsung's multi window feature, but I would have assumed it just reported the next-smaller screen size class (i.e., a 10-inch tablet in landscape mode would display two apps side-by-side by pretending to each app to be a 7-inch tablet in portrait mode). That sort of thing should be inherently compatible with all apps (at least, all apps that adhere to Google's UI standards).

Re:really ?

[Rob+Riggs]

You may not agree with that perspective, but it is the issue that Google is wrestling with: Should they facilitate the ability to prevent apps from knowing that they are not getting the clean data that they currently take as payment for producing the app?

In my opinion, our current standards for acquiring such data are extremely shady, relying heavily on a consumer base that is deeply misinformed of the extent of the surveillance and the risks the data stores pose. Where the balance of good lies between surveillance and countermeasures is hard to tell; it could be that subverting the datastream is pro-social in the long run -- but that is not the side on which Google's bread is buttered. They have a strong motive to see things from the app developers / watchers / revenue stream point of view. A great deal of money flows to Google from informed, uninformed, and misinformed consent to surveillance.

I completely agree. There is another, related problem that Google needs to address. Users have little recourse when app producers renege on the privacy that was initially sold to the user. For example, I paid for WeatherBug Elite simply because it did not require "phone state and identity" when I purchased it. Guess what? A year later they wanted that information for "Elite" too. I can either accept or not upgrade. I don't upgrade. I have a bunch of apps that are not getting updated because the new perms they ask for are ridiculous. If users cannot maintain the privacy that they paid for, what other options exist for them?

Either privacy has value and must be honored by app producers as part of the sale, or it doesn't and users have the right to block access to private information.

Re:Look at it from a dev's perspective.

[LDAPMAN]

You can selectively reject any permission. In your example, the app would pop up a notification saying that it needed internet access to function. The user could then click "Allow" and the app would continue.

I'll give you another example, an app that can optionally store something in DropBox. Why should require that the permission to do so be granted at install time if it's an option the user might never use?