In their latest nightly build, the CyanogenMod team has introduced a new feature to Android: the ability to revoke app permissions. Android’s market app informs the user of all required permissions at the time the app is made available for download, but provides no mechanism to utilize an app that requires a permission you don’t authorize, requiring you to either take it or leave it when it comes to app permissions. This can be a concern if, for example, you wanted to use Adobe Reader without allowing it access to your email, or play Angry Birds without utilizing the in-app payment system.
CyanogenMod enhances this permission support by introducing several new features to the app permission system. With the ability to revoke permissions, an application can be installed and it’s access to features such as your contact list revoked, allowing you to use the app without worry about that component of security being exposed. However, as applications are typically designed assuming they will have access to these secure areas, revoking their access is likely to cause a force close unless the app is well-coded to handle this scenario.
To accommodate these apps the new feature also supports transparent “spoofing” of access for certain permission such as phone state and phone ID. This allows the system to return false data rather than deny access, which circumvents the force close issue in many cases. However, the spoofing feature is only currently available for these two features, with more coming soon. It should be noted that revoking permissions is done through a widget in the settings app, and so does not take effect immediately at install-time. This may result in apps having access to the permitted areas for a period of time before you revoke it, even if the app was never specifically launched (some apps run services in the background) – so caution must still be used in trusting downloaded apps.