New Permission System Could Make Android Much Less Secure

capedgirardeau writes: An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. For example, the SMS permissions group would allow an app access to both reading and sending SMS messages. The problem is that once an app has access to the group of permissions, it can make use of any of the allowed actions at any time without ever informing the user. As Google explains: "It's a good idea to review permissions groups before downloading an app. Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted."

How is this a good idea?

[matthewmok]

I don't think it has to be explained why this is a potential problem. So then, it should be explained why this is such a great idea that the problems it creates are insignificant.

Re:How is this a good idea?

[Russ1642]

They should be moving towards a model where you can individually allow or disallow a permission, even if the app says it requires it. But this would cause chaos for all those apps that require 'full internet access' so they can push ads, collect data, invade your privacy, and molest your children.

Re:How is this a good idea?

[Grishnakh]

The absurd permission demands from simple, crappy applications is why I'd love to see a real alternative to Android that doesn't cost Apple prices.

It seems like Cyanogenmod is probably the best alternative available right now.

Re:Whew

[GuyverDH]

Alert! Alert! Sarcasm overuse detected!! (at least I hope that's the case).

Well, no.

Google wants companies to actually write apps for the Google Play store. If they give end-users too much power over the permissions, they drive companies out of the Google Play store and over to the Apple store.

On the other hand, Google also wants end-users to actually buy these products. By grouping permissions up, they seem innocuous, so users feel less threatened (even though they should feel more threatened) and will buy the stuff.

From a business perspective, this move makes perfect sense. From an educated geek end-user's perspective, it really sucks. But what are you going to do? The world you want to live in does not exist.

Re:Well, no.

[epine]

From a business perspective, this move makes perfect sense. From an educated geek end-user's perspective, it really sucks. But what are you going to do?

First of all, I'm not going to purchase any of those fancy apps. I'm going to use my smart phone as for phone calls, photographs, maps, and web browsing. While it's truly a waste of a beautiful technology, it's merely inconvenient not to bother with all those invasive programs.

I consider the new security model worse than not having the apps at all.

Re:Well, no.

Don't be a fool. What you just said is similar to saying "Well, we can't give Google root because it violates the sandboxing model" - except Google effectively has root because they wrote the damn operating system.

Root is there for responsible use, and fixing a permission problem is a responsible use. After this latest turn of events, it may be more responsible to install a better permission system than the one Google wants to use.

Another way of putting it: "If Google dummies down permissions, what sandbox runtime model even still remains to throw out the window?"

Re:you should be able to...

[kaladorn]

Want to backup your Notes? Oh wait, that's a hidden db and you need a @me.com email address...

It isn't a permission per se but Apple has a lot of their own lock-in in how they do things.

Xprivacy fixes that (Xposed Framework)

[krelvin]

I use Xpivacy which is a module add on to Xposed Framework to control permissions now. Have been using it for sometime. Allows using something like the Facebook app without allowing it all of the permissions it thinks it neededs.

Not really sure what Google is thinking though. There needs to be more fine control of permissions not less.

Straw on the camel's back

[losttoy]

Being a Linux geek since '95 (and somewhat of annoyed-by-all-things-apple person), I bought an Android phone ever since they became available commercially. Did that for five years, ran custom roms and put in an Android patch to maintain a permissions firewall. It was one big PITA from a usability point of view. One day, I saw my banking app looking at my call log and that broke the camel's back, for me. I realized Google simply isn't interested in protecting my privacy. The whole you-can-see-what-perms-app-is-asking-for-before-install is a smokescreen. It doesn't scale. Pushing security problems to the user won't work for 99% of the userbase. Hell, it didn't even work reliably for a Linux nerd like me. By contrast, Apple only exposes a handful of data/attributes to ANY app. An iOS app can't look at or even ask look at my SMS, call log and practically most of the stuff - now, that is a sandbox. Also, from a business point of view, Apple makes money by selling me a phone so yes, they have some incentive above that to milk me for analytics but they aren't Google, who don't make much money when I buy an Android phone. For Google, I am the product. So, I switched to iOS (phones and tablets) and actually since then have switched from Gmail to Fastmail, Picasa to SmugMug. With these switches, my privacy is better protected and even usability is better (Picasa, for me, died when Google started shoving G+ Photos down everyone's throats).

Re:Straw on the camel's back

[Tanuki64]

Google simply isn't interested in protecting my privacy.

Or they are simply not able to do it. Google is seen by many as the software olymp. When I started developing for Android I was appalled by what a crap system Android really is. Buggy as hell and needlessly difficult to use. Maybe the Android developers are simply overstrained by their own system and needed to simplify it.