Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android's new permissions: Unappreciated by many, disparaged by few

Steven Max Patterson | June 17, 2014
Android users worried about the new Android permissions aren't the users this update was intended to help. The minority of Android enthusiasts know enough to protect themselves against the perceived flaws. The controversy that surrounds this update is clearly an example of what Voltaire referred to when he said "perfect is the enemy of good" two and a half centuries ago.

Android users worried about the new Android permissions aren't the users this update was intended to help. The minority of Android enthusiasts know enough to protect themselves against the perceived flaws. The controversy that surrounds this update is clearly an example of what Voltaire referred to when he said "perfect is the enemy of good" two and a half centuries ago.

The typical Android user is better off, though. The new Android permissions present app updates more clearly for the everyday Android user. The granular permissions presented by previous releases have now been grouped into families of related permissions to streamline the approvals of permissions during updates.

Critics claim that because of this grouping of permissions an unwanted change could slip past the user's scrutiny and result in harm. The important point is Android doesn't silently and automatically approve additional app permissions. If a user has set automatic apps to update automatically, updates are automatic, and when the update finishes the user receives a notification. If the app update requests additional permissions, the user is asked to approve the update.

This is the point of contention. Previously, changes in any of the more than 40 permissions were presented in granular detail for approval. The critics don't want this change because they like to consider each change before accepting the update. But many users can't interpret the consequences of the app changes, and oftentimes indiscriminately accept them all. 

Consolidating similar permissions into more general and understandable categories is more actionable. It's easier for the typical user to decide whether or not to accept a permission change by comparing a meaningfully named permission to the apps function. For instance, a user would instantly understand that a flashlight app shouldn't need to request permission to use the SMS function. The Play store also has automated systems that check apps against policies.

The tradeoff that comes from approving a group of permissions may result in the approval of one permission one layer below the group that could cause harm. For instance, a user could approve an app that legitimately should read incoming SMS messages to send billable SMS messages. Whether this is an improvement or not depends on your point of view. For the many users who would simply click a longer, more granular list of permissions, it doesn't change their vulnerability. This threat might be categorized as a nuisance, but it's not serious.

Hiding a lower-level permission to create a serious exploit below a grouping really isn't possible. For example, a user might accept the "Format external storage" permission hidden in the top level Photos/Media/Files permission, but actually formatting storage such as an SDCard and deleting a user's data would also require an independent installation of a device management app and the user's unlikely activation of device administration policies. Also, a change in permissions can't change the Android security model that isolates apps from other apps, limiting the effect of permission changes to only the updated app.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.