We need another look at app permissions

Advertisement

Take a look at that computer in your pocket. Yes, I’m talking about your smartphone – or your tablet. They really are full-featured computers, complete with an always-on, high-speed Internet connection. But today’s portables go further than yesterday’s computers ever did.

These days smartphones and tablets know where you are, what direction you’re heading, how fast you’re going, what the barometric pressure is, how many steps you’ve taken, and more. Some know when you’re looking at the screen, others can capture your fingerprints. They can even listen to you and record videos of what’s going on around you. They can send text messages, make phone calls, request data from who-knows-where, and can send all of that data to anywhere in the world.

Scared yet?

All of those describe typical daily activities, so you shouldn’t be worried – but you should be alert and cautious nonetheless.

Michael Fisher, Starfleet

“Enterprise. This. Is. Michael Fisher. One to. Transport. Now.”

The activities that I’ve described can be done by the software that came pre-loaded on your phone from the factory. You need to be able to dial a phone number if you’re going to make a call. You need to be able to send a text if you want someone to receive it. You’ve got to have a camera and Internet access if you want someone to see a picture of your cat, what you ate for lunch today, or your latest cosplay attire.

What if you wanted to install a new app, say it’s some fancy schmancy picture sharing, social network app that lets you ruin enhance your pictures and share with strangers your friends? That app needs access to your files, your camera, your Internet connection, and your location. That makes sense, right?

What about that really patriotic Live Wallpaper of your country’s flag fitfully blowing, half concealing, half disclosing? That app is awesome, right? Sure it is, but what permissions should it need? Perhaps it lets you supply your own images that it turns into flags, so access to your files is in order. But why does it need to dial your phone, send texts, read your contacts, have full access to the Internet and your location, and even wake your phone up at time during the day or night. Seems like a bit much to me.

“Lazy” Developers

When developing for Android, developers often include access to what I like to call “the kitchen sink”. If they think they’ll need access to something (even if they never use it), they declare it. That location permission we were talking about before, that could have been because the developer was planning on adding a realistic “time of the day” backdrop to that flag: sunset, sunrise, high-noon, etc. Perhaps the developer included that feature, or maybe they changed their mind but forgot to remove the reference.

“Malicious” Intent

Another possibility is that the developer knew exactly what they were doing, and deliberately asked for access – and you blindly gave it away. Your intimate, personal information could be travelling across the interwebz right now, being collected and sold to the highest bidder. Or, the app could be sending text messages to premium numbers, racking up charges that you won’t know about until you get your next bill.

What can we do?!

Android already does a pretty good job of telling us what an app will be able to do – before you install it. However,  recent changes in the Play Store have many concerned that Google may be heading in the wrong direction when it comes to app permissions. (You’ll want to stay tuned to Pocketnow while that story develops.) However, most people don’t read that screen and just continue right through, blindly accepting the risks.

We need to take another look at app permissions, and the way they’re presented. There are so many permissions, many people gloss them over.

“Boring! You’re boring everyone!” — Homer J. Simpson

Instead of displaying all the permissions an app requests in a long, boring list, why can’t Google change things to present them one at a time? Something like this:

Phone:

  • This app can directly call phone numbers and read your phone’s status and identity.
  • This may cost you money!
  • The developer says “of course this app has access to directly call phone numbers, it’s dialer, if it didn’t have this it wouldn’t do much, now would it?”
  • What would you like to do? { Allow it }   { Disallow it } { Cancel Install }

Each subsequent permission would be asked the same way. Of course every developer would have to add translated explanations to tell you why each permission is being requested, but the app installer could warn you (“WARNING: The developer hasn’t explained why they need access to this!”) and recommend “Disallow it” as the action for you to take.

This would also encourage developers to only ask for the permissions their app actually needs, since each permission would require a separate approval screen, and would give users a “Cancel Install” button on every screen.

Maybe that’s the best way to fix things. Regardless of what Google ends up doing, some developers have already taken it upon themselves and explain why they’re asking for the permissions they are in the app’s description. Whether they’re being honest or not is another question, but at least you wouldn’t wonder why your Live Wallpaper needs to be able to send text messages.

Advertisement

What's your reaction?
Love It
0%
Like It
0%
Want It
0%
Had It
0%
Hated It
0%
About The Author
Joe Levi
Joe graduated from Weber State University with two degrees in Information Systems and Technologies. He has carried mobile devices with him for more than a decade, including Apple's Newton, Microsoft's Handheld and Palm Sized PCs, and is Pocketnow's "Android Guy".By day you'll find Joe coding web pages, tweaking for SEO, and leveraging social media to spread the word. By night you'll probably find him writing technology and "prepping" articles, as well as shooting video.Read more about Joe Levi here.