back to article Whoah! How many Google Play apps want to read your texts?

A security firm has criticised Android's all-or-nothing permission approach, arguing it unnecessarily creates extra privacy risks for businesses and consumers. Users are obliged to accept an entire laundry list of requested permissions before they can download an Android app. Disagreement on any point means that the software …

  1. Anonymous Coward
    Anonymous Coward

    The Facebook app wants to be able to reconfigure your wireless connections along with other totally ludicrous permissions. Facebook don't seem to be willing to explain why they need these permissions even though they demamd such details from people developing Facebook applications

    1. Steve Evans

      Facebook are a huge offender.

      Luckily the play store recently introduced a "do not automatically update" flag you can set against apps who are creeping the permissions. Assuming you already have an older version you don't object to.

      Others in my offenders list are Absolute Radio who now want location, contacts/calendar

      Amazon, Ebay who want fine location information

      BT Wi-Fi (which is just supposed to auto logon to BT wifi APs) for SMS, Phone, Photos/media

      The list goes on.

      If you've got a rooted phone, I recommend Xprivacy. You can block permissions after you have installed, and at a far more granular level.

      1. Craigness

        "do not automatically update" flag

        Apps which have new permissions will not be updated automatically nomatter how your flags are set. Additionally, pressing "Update All" does not update those apps - it notifies you of changes* and prompts you to accept or skip the update. I have a number of apps in my Updates list which have been there for many months following the introduction of an unnecessary invasive requirement.

        It *used* to notify you of the changes, but after their "simplification" of the permissions system it just says that something is different and leaves you to work out what it is.

        1. Anonymous Coward
          Anonymous Coward

          Re: "do not automatically update" flag

          "It *used* to notify you of the changes, but after their "simplification" of the permissions system it just says that something is different and leaves you to work out what it is."

          This is false. It tells you what permissions have been added.

      2. Kanhef

        Amazon and Ebay aren't actually that unreasonable – they're probably trying to look up your postal/zip code so they can automatically calculate shipping costs. Still, it would be nice to have the option to turn that off, in case you're shopping while not at the location you want things delivered to.

      3. Anonymous Coward
        Anonymous Coward

        "Luckily the play store recently introduced a "do not automatically update" flag you can set against apps who are creeping the permissions. Assuming you already have an older version you don't object to."

        It doesn't auto update an app that has changed permissions anyway. Never has.

        But also regarding the point of this article, that Android users who are too dumb to root can't manage permissions... how is that different from any other phone? on iOS they don't even tell you what Steve Jobs approved magical apps even do.

    2. Paratrooping Parrot

      For Facebook, I just use the mobile website. So much safer than giving all sorts of permissions.

      1. Someone Else Silver badge
        Coat

        @ Paratrooping Parrot

        For Facebook, I just...don't. So much safer than using it.

    3. James Micallef Silver badge

      From Android systems ermissions page - https://developer.android.com/guide/topics/security/permissions.html

      "Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. Android has no mechanism for granting permissions dynamically (at run-time) because it complicates the user experience to the detriment of security."

      This is complete BS. It's no more complicated for users to grant permissions once at first runtime than once at install time. The document also makes no mention of why permissions are 'all-or-nothing'. Why can't I install an application but give it only a subset of permissions it asks for? Every app should be able to run gracefully even if denied certain 'optional' permissions. (Of course some permissions will be essential for some apps depending on their function, but in this case it's up to the developer to explain why certain permissions are needed)

      1. Tinker Tailor Soldier

        How do you make sure of this?

        As you said, some permissions are essential to the app function. How do you deal with the inevitable moron that denies net access to their mail app? And how many apps in practice respond gracefully to having random things from the system fail. I don't think that Android necessarily strikes the right balance here, but the matrix is large and users are stupid.

        1. Adam 1

          Re: How do you make sure of this?

          >How do you deal with the inevitable moron that denies net access to their mail app?

          You allow the developer to specify whether the token is mandatory or optional and you let them formally declare why they want it so the user can see it on the play store. The user can't reject a mandatory token but can reject an optional token.

          The developer can then access a method to return whether token xyz is available. If not, they can hide the relevant button on the ui and offer a cut down experience of their app.

          For backwards compatibility you could even assume all permissions of existing apps are mandatory. Over time, competitive forces should make developers think twice about the permissions that they demand. Google could even allow you to compare the permissions matrix between a group of apps selected by the user and add a filter to allow users to exclude apps with specific permissions.

          Simples!

          1. Anonymous Coward
            Anonymous Coward

            Re: How do you make sure of this?

            "The developer can then access a method to return whether token xyz is available. If not, they can hide the relevant button on the ui and offer a cut down experience of their app."

            Except that if you can revoke permissions at any time, those functions would have to be called every time anything is done in the app ever. Making it ridiculously slow.

            1. Adam 1

              Re: How do you make sure of this?

              "Except that if you can revoke permissions at any time, those functions would have to be called every time anything is done in the app ever. Making it ridiculously slow."

              Firstly, I did not describe a model where users could revoke permissions at any time. I suggested that they could choose which optional tokens they accept.

              Secondly, the permissions are held in a manifest, and the OS could quite easily maintain a hashmap of application/permission. Even on modest phone hardware this would be capable of several hundred thousand containsKey calls per second. I am really racking my brains to imagine what sort of overheads you are imagining. I would be unsurprised if the OS does this behind each API call anyway.

      2. Anonymous Coward
        Anonymous Coward

        "Why can't I install an application but give it only a subset of permissions it asks for?"

        Because then you'll whine when you go to use the function that requires that permission and it crashes your phone. Derp.

        1. tecnofantom

          You're missing the fact that most of the permissions requested by Android apps have no relevance to the actual functionality of those apps, so you can safely block them without the app crashing. I'm speaking from experience here, not theorising.

  2. Fihart

    Yup, that's why I won't use apps.

    I was just about to add a useful app when I read the permissions agreement and went "no way !"

    Google's arrogance undermines one of the main benefits of Android.

    1. IcyBee

      Re: Yup, that's why I won't use apps.

      Have you noticed the subtle change to they play store that Google made a few weeks back?

      They have decided that all apps need "full network access", so it doesn't tell you that it has granted permission for them.

      I noticed this when I installed a game that required "no special permissions" that then started serving ads.

      I've decided to restrict my apps to those offered by F-Droid. You can't trust anything on the Play store any more.

      1. Paratrooping Parrot
        Happy

        Re: Yup, that's why I won't use apps.

        Thank you for that. I was getting really annoyed at the Play Store applications. I never heard of F-Droid before.

    2. Robert Helpmann??
      WTF?

      Re: Yup, that's why I won't use apps.

      It obviously does not stop with Android. I don't recall getting any sort of notification that Chrome would be able to access my web cam and mic. I just happened to notice that it had spawned yet another process. I realize that Flash and similar do this, but I can choose to enable, disable, or uninstall these if I wish. Now, Google have embedded this in their browser. Additional bloat, no or ill-defined user controls, and more... what's not to love?

      Google seems to be intent on undermining any expectation that consumers should have control over their online lives. This is definitely not what I want to deal with.

      1. Craigness

        Re: Yup, that's why I won't use apps.

        Having the browser access the webcam is for WebRTC - skype-like functionality without the invasiveness. They'll all have it soon if they don't already, so get some blu-tack on your camera!

        1. synonymous cowherd

          Re: Yup, that's why I won't use apps.

          or some black electricians tape, it fixes all kinds of problems

      2. tecnofantom

        Re: Yup, that's why I won't use apps.

        Start by not using Chrome - and switch to FireFox.

    3. ItsNotMe
      Happy

      Re: Yup, that's why I won't use apps.

      I use apps...but I have SMS messaging blocked on my phones...both outbound & inbound. No worries here.

  3. Whitter
    Devil

    El Reg story conjunction

    "If you have a security hole, if no one else can help ... maybe you need the Google ZERO team"

    Unless you are the Google App team it would appear...

    1. Anonymous Coward
      Anonymous Coward

      Re: El Reg story conjunction

      One thing that concerns me.

      Say, none of these apps are malicious or have malicious intent such that they install backdoor trojans or steel bank accounts or what not. So, why the required access to so many things? Why, if I install a simple app to convert from one unit to another, does it need access to my camera, my microphone, my wifi info, my storage, other devices on my network (Yes, there are apps that ask this)?

      What info are they gathering and what is being done with this? Is it being sold, kinda like people used to do with telephone numbers and email accounts? Who is buying it?

      In a world where every country now seems hell bent on collecting as much info about every living person in and out of their borders, it makes me wonder.

      I feel somewhere that there is a huge profile of me, just sitting.

  4. d3rrial

    Root

    Well, technically one can always root the phone and withdraw the permissions...

    1. NogginTheNog

      Re: Root

      You're suggesting you buy something, then have to break in to it in order to make it perform acceptably?

      1. ElReg!comments!Pierre
        Coat

        Re: Root

        "You're suggesting you buy something, then have to break in to it in order to make it perform acceptably?"

        Yes, the Apple-envy at Google is almost uncanny.

      2. Anonymous Coward
        Anonymous Coward

        Re: Root

        "You're suggesting you buy something, then have to break in to it in order to make it perform acceptably?"

        Yeah, configuring things is insane! Personally, I refuse the adjust the seat in my car. The factory position is the only one for me!

    2. fruitoftheloon
      Happy

      Re: Root

      Chaps,

      one has found permission manager [on a standard Note ii] to be effective (if not necessarily intuitive) for withdrawing permissions after an app has been installed: https://play.google.com/store/apps/details?id=com.appaholics.applauncher&hl=en

      Ymmv.

      J.

      1. Graham Marsden
        Unhappy

        @fruitof theloon - Re: Root

        Nice suggestion, but on looking at the details...

        Android 4.3 ONLY | NO ROOT | NO ADS

        and:

        Updated - November 8, 2013

  5. Mage Silver badge
    Facepalm

    I agree

    Despite the commercial axe to grind the Android model is COMPLETELY wrong.

    Each aspect should be denied by default.

    Only asked for activation when the Application needs to access it and then either:

    Allowed once.

    Denied this time.

    Allowed every time unless user changes it later (Choice of notification or not)

    Denied every time unless user changes it later (Choice of notification or not)

    All settings to be accessible without launching the App.

    1. John Robson Silver badge

      Re: I agree

      One missing:

      Simulate null data.

      So when the app asks to read SMS you can either deny it, or pass it an empty list.

      When it asks to send you can either deny, or accept the message and then discard it.

      When it asks for location you can tell it you're in Greeenwhich (or some other selected place) or tell it to sod off...

      1. monkeyfish

        Re: I agree

        Ah, so what you're basically saying is that you would prefer to be using iOS or WP?

        <--- Ducks for cover.

    2. Anonymous Coward
      Anonymous Coward

      Re: I agree

      "Each aspect should be denied by default.

      Only asked for activation when the Application needs to access it and then either:

      Allowed once.

      Denied this time. [...]"

      So basically you want Windows Vista on your phone?

    3. tecnofantom

      Re: I agree

      That's why I prefer to run the CynagoenMod version of Android, which with its Privacy Guard feature allows you to selectively block access to things that apps don't really need. You can also set Privacy Guard to be active on all apps by default. CM has been made very easy to install on a number of popular devices using the install tool on their web site.

  6. Buzzword

    Maths

    68 per cent of apps (that request SMS permissions) ask for the ability to send SMS messages;

    28 per cent of apps (with SMS permissions) also request read SMS access;

    So out of a hundred apps which request "SMS permissions", 68 can send and 28 can read. What do the remaining 4% of apps do, if they request SMS access but neither read nor send?

    1. Paul Hayes 1

      Re: Maths

      I think you've misunderstood.

      68% of apps request SMS send access

      28% of that 68% request SMS read access as well as send.

      Is how I read it.

      1. R 11

        Re: Maths

        Seems hugely unlikely. I check permissions before installing any app, and don't recall any unusual ones asking for read/send SMS permission. So I dig around and find the actual source for the article: http://research.zscaler.com/2014/07/and-mice-will-play-app-stores-and.html

        And sure enough, of the 75k apps, 7% ask for SMS permissions, or 5,250 of the 75,000 tested.

        68% of apps with SMS permissions have the ability to send, so 68% of 7% is 4.76% of apps, from the 75,000 tested, can send text messages.

        1. Craigness

          Re: Maths

          "7% ask for SMS permissions"

          I facepalmed when the "68% of a subset of apps" part came up. It's like Anchorman: http://www.youtube.com/watch?v=pjvQFtlNQ-M

        2. Anonymous Coward
          Anonymous Coward

          Re: Maths

          "And sure enough, of the 75k apps, 7% ask for SMS permissions, or 5,250 of the 75,000 tested.

          68% of apps with SMS permissions have the ability to send, so 68% of 7% is 4.76% of apps, from the 75,000 tested, can send text messages."

          Not trying to bash the register here, but the media in general... kind of sad when the comments have done more research than the article. Reg should hire you.

  7. ACZ

    Yup.. rubbish permissions handling in Android

    Like the article says (and various other articles have said before and commentards commented on), this is a fundamental problem with Android. I've got a Nexus 5 and Android's permissions handling is the main thing that would push me back towards using an iOS device.

    1. Sven Coenye

      Re: Yup.. rubbish permissions handling in Android

      It is not all sunshine and roses on iOS either. It can grant total control over the phone without even telling you it did.

      We use a hosted Exchange domain via outlook.com. After MS switched that to O365, my Android phone popped up a request to install a device adminstrator that would give MS persmission to go as far as wiping the phone, including vaporizing all other data. On iOS, you do not get that warning.

      1. sabroni Silver badge
        Thumb Up

        Re: iOS is worse!

        Oh, that's fine then. Carry on!

        1. Anonymous Coward
          Anonymous Coward

          Re: iOS is worse!

          BlackBerry 10 is lots better. As a BB10 user, I'm feeling smug...

          1. Kevin Johnston

            Re: iOS is worse!

            I would be careful with your degree of smugness.....I too like BB10 but when I wanted a spirit level and thought 'there must be an app for that' I found the first three all wanted access to my contacts and the Internet???????

            1. Anonymous Coward
              Anonymous Coward

              Re: iOS is worse!

              "I would be careful with your degree of smugness.....I too like BB10 but when I wanted a spirit level and thought 'there must be an app for that' I found the first three all wanted access to my contacts and the Internet???????"

              The difference is that if it's a native BB10 app you are in complete control of what an app can and cannot access. So you can take an app that wants to do things like access the internet, and stop it doing that. Unlike Android. Most of the apps I've de-permissioned don't seem to care anyway.

              Interestingly you cannot change the permissions settings of Android apps running on top of BB10. Seems that highly undesirable characteristic of Android has followed the apps across...

      2. James Micallef Silver badge
        Meh

        Re: Yup.. rubbish permissions handling in Android

        So, anyone know what permission handling is like on Windows Monile?

        1. Anonymous Coward
          Anonymous Coward

          Re: Yup.. rubbish permissions handling in Android

          I don't remember seeing any permissions at all.

          1. cambsukguy

            Re: Yup.. rubbish permissions handling in Android

            WP mentions required permissions in the store listing, lists them at install time, and apps prompt for location permission, if required, when first run.

            When an update occurs, a list of apps in the update list (when using update all) shows those that want location.

            These always appear to be legitimate. Some apps will work without knowing your location, not certain which but I have seen the prompts like "...works better with location to give you more accurate results...", IMDB might be an example.

            MS specifically state that the location given is anonimised, but I am not sure how that makes sense if the app knows who you are. Mind you, the phone identity doesn't tell the app who you are so they basically may have a phone they know and a location they know but the still don't know who you are exactly.

            1. Steven Roper
              Thumb Up

              Re: Yup.. rubbish permissions handling in Android

              "MS specifically state that the location given is anonimised, but I am not sure how that makes sense if the app knows who you are."

              It makes perfect sense, when you consider that MS is simply saying "It's anonymised" as placatory buzzword blurb intended only to allay your privacy concerns and get you to buy the product - or BE the product, as the case may be.

              "Anonymised" doesn't actually mean anything to these people, to them it's just another meaningless buzzword that they've figured out that consumers like to hear, along with expressions like "scientifically proven" and "as seen on TV."

    2. tecnofantom

      Re: Yup.. rubbish permissions handling in Android

      Install CyanogenMod 11 on it, and you won't look back. Very easy to install via http://www.cyanogenmod.org/

  8. ElReg!comments!Pierre

    Real concern but rubbish assumptions

    Most people I know choose their apps first by comparing the list of permissions asked; only after that do they compare looks etc. Litterally all the people I know who own an Android device has at least once refused to install an app because it asked for unreasonnable permissions.

    So, the concern is real, and it is a pain in the nads that you can't handpick permissions that you grant (well, without getting your hands dirty under the hood at least). But the assumption that it results in people not paying attention to security is -in my limited experience- rubbish.

  9. Anonymous Coward
    Anonymous Coward

    What about access to calls?

    More and more apps (Amazon, Facebook, Linkedin) want access to your calls as well, to know who you're calling or who you've been called by.

    You should be able to deny any of the permissions, not just a blanket deny all so I don't get the app.

    1. fruitoftheloon

      Re: What about access to calls?

      Ac, depending on your version of android, you can do that, see my post above..^

      Ymmv

  10. Stretch

    Yes this sucks but its the app writers fault not google, they request ludicrous permissions for their apps.

    1. Anonymous Coward
      Anonymous Coward

      Yes this sucks but its the app writers fault not google, they request ludicrous permissions for their apps.

      No it is definitely Googles fault. It is their flawed model that makes this possible and their stubbornness to change it that is making me consider switching back to iOS

    2. big_D Silver badge

      I would say it is "not just Google's fault." They are the ones who decided to make permissions all or nothing, with no way for the user to decide and fine tune access.

    3. bazza Silver badge

      "Yes this sucks but its the app writers fault not google, they request ludicrous permissions for their apps."

      It's not ludicrous from their commercial point of view. If they can make more money by doing so then they will. They have to make a living after all, and Android is a crummy platform to try and sell software on given that piracy is appallingly easy.

      Google have a slight problem. If they improve the end users control of permissions then the free apps will disappear because the app writers will lose their profit making model. And without major changes to Android it will remain ludicrously trivial to pirate paid-for apps. In short, Google have carelessly pushed out an underdeveloped, badly thought out mobile ecosystem that will one day cause catastrophic damage to their reputation, and it's too well entrenched now for them to make the necessary changes.

  11. big_D Silver badge

    Waiting

    One of the games I had suddenly changed its requirements. It went from need next to no permissions to wanting contacts and network access. I put off upgrading for a while - it was to enable finding friends and playing in tournaments with them, which I didn't need.

    1. Craigness

      Re: Waiting

      They should use the Play Games service. Apart from doing all the heavy lifting for the developer, it uses Google Plus circles instead of the contacts list. Even of you do have contacts in your circles, you can select not to share any circles with the app.

      1. big_D Silver badge

        Re: Waiting

        And how does that work on iOS and WindowsPhone? If the game is cross platform, you pretty much have to do the heavy lifting yourself, or you silo your players and friends can't challenge each other, if they have different devices.

  12. Jonathan Richards 1
    Unhappy

    Don't forget the camera...

    Several apps I run have recently asked to add to their permissions on update to be able to take pictures and record audio at any time. I am sufficiently creeped out by this to have installed Disable Camera.

    I totally agree that the permissions model is not correct, and the recent "simplification" has made things worse. Updates *used* to tell me which permission requests were new, and now they don't.

  13. This post has been deleted by its author

  14. Olius

    Old news but still not fixed!

    Unbelievable that Google refuse to fix this. People have been saying for literally YEARS that the OS could easily fake giving the app all the permissions it wants and supply dummy GPS, a tmpfs filesystem instead of SD, a fake SMS list etc etc ETC, but Google will not listen.

    Here's a bug report of this from *2009* -

    https://code.google.com/p/android/issues/detail?id=3778

    1. Anonymous Coward
      Anonymous Coward

      Re: Old news but still not fixed!

      You shouldn't have to send dummy data. Any app should check for a permission before trying to access it. My Nexus 7 has no SMS client, no phone dialler etc. so, any apps that require those and try to access them will probably crash unless the code sensibly checked beforehand.

      There are perfectly sensible reasons why certain functions are not available to apps, not just the revocation of permissions. Tablets with no 3G chips, PC/dongles with no cameras, no wifi for all devices at times.

      If any app crashes because I don't want it to have access to SMS, contacts etc., then it is poor coding by the dev.

      Seeing as Google ad Facebook compete for the advertisers dollar, surely anything that allows Google users to restrict the tentacles that the FB app tries to wrap around their devices would be seen as a good thing?

      1. sabroni Silver badge

        Re: Any app should check for a permission before trying to access it

        and if that permission changes? Apps need to gracefully handle things failing, whether that's because of a permission or some other error. There's no harm in checking first obviously, but that's no excuse for crashing if the call fails.

      2. Nick Ryan Silver badge

        Re: Old news but still not fixed!

        I too have a Nexus 7, and install apps on it rather than my phone for precisely this reason - no SMS, phone dialler, etc. really restricts what apps can do. I've deleted and purged quite a few apps where it turns out that they implement cretinous behaviour such as install system notification processes, reminding you to come back to play the game and other nonsense. It's ****ing game, why does it need to know when my device starts up?

      3. Olius

        Re: Old news but still not fixed!

        Sorry, didn't see this response, don't know if this thread is still alive, but...

        At the time - and at any time - there are MANY apps already written. The original bug report suggested that these permissions should be even more granular and should be user selectable both at install time and at any time after.

        Google's, rather valid, argument was that the existing apps would break if this were done.

        The counter argument was that apps that didn't handle being denied access they are expected and crashed (due to being old or poorly written) could be allowed to cope by having dummy data given to them through these interfaces rather than being explicitly denied access to them and having unhandled "access denied" errors thrown. This would give the best of all worlds - a set of apps that are stable under all user conditions, and improved security for the user.

        This counter argument was ignored and the bug report closed for reasons never expressed.

  15. Joe Harrison

    The way I limit this

    1. Cyanogenmod "privacy guard" natively allows you to prevent apps looking at your private stuff, contacts etc. regardless of what permissions the app thinks it has.

    2. Use a PAYG SIM and not put much credit on it. That way a rogue premium dialler can at worst cost me ten quid or so.

    Not saying this is a complete fix but it prevents the two most heinous problems.

  16. thomas k.

    and Google doesn't care

    how bad these apps are for security because they get their commission on each sale of the app.

    1. thesykes

      Re: and Google doesn't care

      The Facebook app is free, so Google's cut of nothing doesn't pay many bills and the FB is one of the worst culprits for excessive, intrusive and unnecessary permissions.

  17. Novex

    Rooting

    I didn't buy an Android phone until I felt sure I could root it and install a 'firewall' around the core (in my case I use xprivacy). Despite having to do that, and keep an eye on xprivacy settings too, I'm very glad I did as some of the app permission requests beggar belief.

    However, I agree with comments above that such pullovering ;-) about shouldn't be necessary. There really should be a proper permissions capability built into Android right 'at the core' giving a user total control over what data and facilities can be seen/used by any application, without having to do such things as 'booting and rooting'.

  18. Sandy Ritchie

    Solutions?

    BB OS10.2.1 (or 10.3 when it drops), It runs Android Apps in a sandbox, just sayin'

  19. Badvok

    Google has yet to respond to our request for comment on Zscaler's research.

    Err, I think they already did - it's called Android L I believe.

    Though with the speed that new versions of Android actually make it into real use we'll be stuck with a crappy permission system for some time yet.

  20. durbster

    What I don't understand is why they don't force developers to explain WHY they need access to each feature. Sometimes it might want access to something for entirely innocent but slightly obscure reasons, so you're never quite sure whether to be suspicious or not.

    Rather than saying this app requires access to:

    Your camera

    Your contacts

    SMS

    It should say this app requires access to:

    Your camera: To see if you have a moustache

    Your contacts: To allow you to send your high score to your contacts

    SMS: To text your mum and tell her your phone is secure

    1. Andrew Jones 2

      Decent developers with respect for their users - do in fact list why they request various permissions right in the description of the app.

      1. phil dude
        Thumb Up

        mandatory...

        making it mandatory, would be a good start...but +10^6 upvotes for the list earlier regarding fake information...

        P.

  21. Terry 6 Silver badge

    Developer's reasons

    I NEVER install an app that wants phone access, (unless it's a phone app).

    But almost all the ones I look at do require this. For no apparent reason at all.

    And phone access is a big blanket permission. It's your ttotal phone history, who you spoke to and when.

    So sometimes I email and ask why.

    Very few reply.

    One or two that did have had excuses like, "So that it doesn't interfere with your calls."

    Which is pretty much just a load of bollocks.

    I just assume that if an app wants access to my call it's because they are gathering this into a database.

    1. Craigness

      Re: Developer's reasons

      AFAIK Android does not send out alerts to apps when a call comes in. So if you have an app which plays music or makes some kind of noise, it has to have access to the phone APIs in order to know when to mute itself. Because the API is not sufficiently fine-grained, developers need to ask for a lot of private information in order to behave nicely when your mum calls.

      So the good developers will ask for this permission. But so will the bad ones.

  22. Colin Miller

    Permission changing apps

    Apps such as Advanced Permission Manager let you remove permissions from other applications.

  23. Whitter

    Not just what and why - but what, why and when

    An app needs SMS access to allow it to send/receive authorisation codes for example: this may be a good thing to do. But the permission will let it access/send SMS any messages anytime. Dragons beware: even if the original app designer doesn't intend to abuse the privilege(s), a hacker piggybacking on it might. Or the big megacorp that buys out the designer with greedy eyes on the contact lists of its userbase.

  24. thomaskwscott

    Focusing on SMS

    SMS seems a strange thing to focus on. Especially since in KitKat only the default SMS app is allowed to send SMS and there are actually now two types of Receive SMS with the default app getting one and any other apps getting a far more limited version. It seems Google are taking steps.

    That said, the model where permission is granted as required is so much better. App developers almost never tell you why they need those permissions so you have to make a choice to trust them without knowing the details of their usage. An on demand model would be much clearer to the user. Maybe we'll get it in Android 5?

  25. Anonymous Coward
    Pirate

    Oh, how the IT world changes....

    ... and only for the better, of course. ;-)

    At one time you needed anti-virus software to protect yourself from unwanted software. Now it seems there is an opportunity for the AV vendors to provide protection from wanted software.

    [Skeleton icon == too old for this now]

  26. Anonymous Coward
    Big Brother

    Android permissions cannot revoked after installation?

    "Android permissions cannot be denied or granted after installation"

    ref: 'This is all changed with a hidden feature released in version 4.3 (Jelly Bean), which allows users to revoke permissions after installing a particular app'

    ref: 'Android 4.3 has a hidden feature! It's called "App Ops" and it lets you selectively disable some permissions for your apps'

    1. Kanhef

      Re: Android permissions cannot revoked after installation?

      Apparently you missed the bit about Google removing access to App Ops late last year; as of 4.4.2, you can't use it without rooting the device, and it's possible they'll remove it entirely in future versions.

  27. Uncle Ron

    The 'Why' of it is not that clear...

    I can see why some app developer would want permissions to do all sorts of things in order to monetize it's free app. But it shouldn't be allowed. Apps ask for all manner of stuff that is in no way required by the app to function. That should be the end of it. I don't load any but the most high viz apps (like Netflix, MLB, etc.) and won't load any that require permissions beyond what the app needs to function. I think Google should clamp down. I'm sick of it. No app needs my friends e-mail addresses in order to function. The developer is simply selling these addresses to third parties. Shouldn't be allowed. A pox on all their houses.

  28. Anonymous Coward
    Anonymous Coward

    system apps

    It's even worse as a lot of the "system" apps on my tablet, mostly Google but some Samsung, are the worst offenders. They've have had huge permission creep with each upgrade - and I can't even uninstall the blasted things (without rooting) even though they are humungously intrusive, unwanted, unused, and clog up my machine.

  29. PaulR79

    Best option

    I've thought about this a lot because it always bothers me why some apps request permissions they do and unless you can figure it out your choices are accept and use it or refuse to install. Android started making developers include changelogs with each update and while that's been abused by some with poor logs such as "bug fixes and performance improvements" there are those that use it properly.

    What I'd propose is similar to requiring changelogs. For every permission required the app has to state clearly why they need them. For camera apps to use camera is obvious but a torch app needing network access isn't so obvious until you see that it's ad supported. Then there are the really broad permissions like Facebore ask for that I'd never be ok with allowing.

  30. Anonymous Coward
    Coat

    Feeling my age..

    I'd really, really like a 'phone that just does voice calls and SMS, with a decent phyical keyboard (can be QWERTY, A-Z or Keybee, so long as it;s not that horrid 3 letters per key you get on small phones). If I want computer functions in something I carry around with me, I'll buy a flipping computer, thank you very much, and one with a decent operating system, which definitely leaves out Android, IMHO.

    Never would have thought thirty years ago that I'd be feeling so jaded and UN-excited by technology; smartphones and tablets have got the kind of processing power I dreamed of being able to put in my handbag when I was in my twenties, but dear me, I really didn't imagine the durned things would be this dreadful and annoying when they finally came to be. I did try an Android tablet back at Android 2.1 (a cheap Kogan, I can;t afford the better stuff), and rapidly came to the conclusion it seemed like a nightmarish version of Linux done about as badly as it's humanly possible to, with least consideration for the users wants and needs. At which point I switched the wireless off, and it's simply been a portable media player ever since. I'm not letting it near the internet ever again.

    Sigh.. time to book my spot in the Rest Home for Grumpy Old Biddies methinks.

    Oh - and can Google be done for fasle advertising - 'we are not evil'? pah! (mutter grumble, slouches off..)

  31. NT1

    Better Google Play search - they know how!

    I have no problem with all or nothing permissions. What I do have a problem with is the inability to exclude apps from search results with permissions I find intolerable. E.g. I should be able to (always) exclude apps from search results which require access to SMS messaging because I *never* want any app which requires this. Exclusion from results would be a good incentive for developers to not ask for them. If everyone could exclude these apps then they would have no presence and make no money through nefarious acts.

    Of course, some apps legitimately need permissions - and when I want an app of that nature, then I'll temporarily enable that permission in the search results. Otherwise, complete exclusion for me.

    And Google are more than capable of implementing this trivial filter in searches. And they would gain points for doing so.

  32. synonymous cowherd

    wtf

    Are we really surprised when the planets biggest data hoar and her associates over steps the mark, and assumes they have the right to access all your info?? Get away

  33. Grogdor

    If your Android is rooted, use:

    XPrivacy for controlling/faking permissions, AFWall+ for fine-grained control over network access, System App Remover for obvious, Gravitybox for customization, Xposed framework for more advanced system-level tweaks, F-Droid for open-source apps.

  34. Wize

    Auto Installing Apps

    Having a Samsung S4, I have a few apps that, no matter how often I remove/disable (some are bloatware so cannot be removed totally, just set to disabled) they will re-enable themselves and update themselves.

    Apps, such as ChatOn, Flipboard, S Health and Trip Advisor.

    Some apps I've not updated, such as Facebook and Twitter as the new versions want too much access. No you cannot read my SMS and play with my wifi settings.

    Facebook are trying to force and update by disabling the build in messaging and making you install another app, which has all these nasty permissions too.

  35. Anonymous Coward
    Anonymous Coward

    What can we do

    For users who care about their privacy and security, there are not too many options. You can root your device to control the permissions, but root comes with its own security risks. Or you can use an app like Safe Play to keep unsafe apps out. Antivirus are a bad solution because they come after the damage is done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like