July 31, 2013 By: Will Verduzco
Say it with me: It’s about time! While not officially released yet (and although similar functionality has been possible via root in the past) granular permissions management is unofficially on its way to stock Android. In fact, if you’re willing to take a few seconds to create a custom shortcut, an incredibly easy task on most aftermarket launchers, you can access it now from any Android 4.3 device. There’s even a simple option for those more content with the stock Android 4.3 launcher as well.
Thanks to some sleuth work done by Ron Amadeo over at Android Police, App Ops was discovered in the current build of Android 4.3 (JWR66v). Getting it to work is as simple as creating a custom shortcut that points to the activity: Settings -> App Ops. While this technically offers nothing that wasn’t already possible via root, it’s great that Google is on its way to allowing unrooted users control their privacy so granularly.
As described in the source article linked below, however, the feature is far from perfect. Currently, the permissions that can be toggled only populate after each is used. This is both less intuitive and less functional than simply accessing the list of declared permissions from the app’s AndroidManifest.xml file. Furthermore, there is no user-visible alert when a permission is denied, which would ease troubleshooting if denying a particular permission leads to application issues down the line. That said, it is nice that App Ops allows you to see the last time each permission was used.
While making a shortcut to a specific activity from custom launcher is no big deal, doing so on the stock Android 4.3 launcher is not possible. However, Senior Member mrx8836350 created an installable APK that creates the requisite shortcut for you without the need for a custom launcher. More information on this feature can be found in XDA Recognized Contributor Disturbed™‘s Android 4.3 general information thread. To get the shortcut on the stock launcher, visit mrx8836350′s application thread.
Source: Android Police
[Thanks to XDA Senior Member nikwen for the tip!]
Android, as an operating system, is fairly unique in that it makes users aware of the permissions available to apps in a fairly transparent way. Compared to Blackberry or iOS, which issue granular prompts such as “Can Angry Birds access your location?” or “Can Instagram access your camera to take photos?” There is a somewhat subtle difference here: The rivals give the user a choice about these requests.
Jump over to Android where, after installing an app, it has free reign to use every permission you agreed to. While this doesn’t sound an issue, let’s take a look at the Play Store. Let’s look at a nice, popular app (for better or for worse): Facebook.
The Facebook app has permissions to:
Getting tired and out of breath yet? It’s not over yet though! Facebook can also:
What is perhaps most disconcerting is that while Google acknowledges openly the risks in each permission (I suggest you take a read at the detailed description of some of the permissions on a Play Store listing), the company takes no steps to help you with this. Thus, the entire Android ecosystem is built around you trusting the developer to play fair, and not do anything dodgy.
And while I might be unique in my recommendation (which I firmly believe is warranted in this day and age given recent information revealing the extent of mass surveillance that is ongoing) to trust nobody, not even yourself. For this reason, I suggest the Android permissions system is totally flawed, in relying on developers to not abuse permissions, and not request excessive permissions. How many torch apps on Android have more than the required camera permission (to enable the camera)? I’d suggest most do, feel free to take a look!
You’d think the Android community would rally against such behaviou, but it’s reached a point where it is acceptable for developers to declare a need for excessively gratuitous permissions in order to use their apps. What happened to user choice? I then was pointed towards this post on G+ by Steve Kondik (XDA Recognized Developer cyanogen), which I read with much dismay. While I do not use G+ (closed platform, requiring far too much data to be disclosed to Google), I would suggest that with respect, the need for user privacy and security MUST come first, as it’s clear app developers cannot “do” security.
Perhaps if Google introduced zero tolerance for moronic errors in security (plaintext passwords, gathering contacts data, obtaining device IDs that are not hashed suitably with a cryptographic hash etc), it might offer an incentive to consider security? Given many users (wrongly) reuse passwords between services, the sending of plaintext passwords should be sufficient, in this author’s opinion, to justify immediate removal of all of a developer’s apps from the Play Store, forever.
Some people just don’t know how to do security. And for them, I sigh. Users deserve security, and privacy, and unless you go ahead and look at the OpenPDroid project on XDA (which I strongly suggest you check out), you are pretty much being abandoned by even the leader of CyanogenMod. While I appreciate his concerns for app developers, it is simply inexcusable to not look into fixing the glaring hole that is contacts access. This is 2013, the era of social engineering, and I cannot choose selectively which apps see which contacts in my address book? REALLY?
Something needs to happen here, before people wake up and smell the coffee, and realize this isn’t sustainable. It’s time users became more aware about what apps are doing, and the extent of data mining that is ongoing. It’s your data, and it should be entirely your choice who gets it.
You shouldn’t have to avoid an app because you don’t like the look of its permissions; you should be able to (whether as stock Google feature, or custom ROM feature) be able to selectively decline to allow an app to access your data. And this should be done gracefully, either providing empty data (for contacts, or similar), or null data (i.e. requesting phone number or IMEI should return the same response as a tablet lacking these identifiers).
Is it right to deny your users the choice, to make life “easier” for app developers? (arguably to allow them to capture user data more easily) I argue it’s not, and it’s time the Android community unites to put an end to apps having free reign over YOUR data. If this concerns you, why not check out the aforementioned OpenPDroid (and similar) projects on XDA, and see if you can help out, or test, or contribute to the cause?