applications requiring excessive permissions

by seanburlington » Fri, 06 Feb 2009 10:07:28 GMT

Sponsored Links
 Hi all,
   I've noticed that a lot of application from the Android market seem
to ask for more permissions than I would expect.

It's great that the market allows me to see what I am allowing an app
to do - and I often choose not to install on this basis.

As an example the application wants network connection
(which is to be expected) but it also wants  GPS location data, and
phone status.

I just can't see why it needs these.

I guess if it's showing ads it might want general location data - but
why does it need to know where I am to GPS accuracy?

I don't want to share that and my batery runs down to fast without GPS

And why should it need to know if I'm making a call?

This seems like quite a common issue - applications asking for more
access than they might be expected to need.

Has anyone else noticed this - or come across an explanation for it?


applications requiring excessive permissions

by Nanard » Fri, 06 Feb 2009 23:00:59 GMT

 I suppose many application creator, had fun creating great app during
1 year (for ADC1) on their PC using the emulator.

And playing with all Android API.

During this great coding time they didn't really care about
authorizations : they just have to add it in a xml file.

Once 'real' users, and 'real' phone arrived, well... this popup
informing the user of the required permission arrives, and... not all
application developper though about that !

I am in this case.

I think google should keep this permission check by phone owner, and
that application developer should explain in their User Guide the
reasons why those permissions are required.

Sponsored Links

applications requiring excessive permissions

by Craig » Tue, 10 Feb 2009 13:09:29 GMT


That is a great idea.

Further, what I'd like to see, and something that seems a no-brainer
to me, is the ability for users to disable/enable permissions on an
individual basis. That way, if some solitaire game requests internet
access, you can still download it, but just say that it can't access
the internet. This is how firewalls work on PCs, so why not on
android. This would be easy to code for as well for developers: if I
have internet permission, I can do so and so; if I don't, well then I
can't, and I can tell the user about it. The "all or nothing" scenario
dilutes the usefulness of the permissions system.

Is this too obvious or am I missing something?


applications requiring excessive permissions

by plusminus » Tue, 10 Feb 2009 13:32:26 GMT

 If you have 5 permissions and the user can toggle each of them you
might have to handle 2^5 cases in your code =/ (worst case)


applications requiring excessive permissions

by Sam Hiatt » Wed, 11 Feb 2009 02:39:58 GMT

 Cedric and Craig - I'm right with you on this.  I think your proposed
solution would make a big difference.  I've been wondering about this
issue ever since a program I was trying out for the first time
surprised me and uploaded my GPS location to a public map without
asking me.

I tried to initiate a discussion about this a while back but got
frustrated when my comments were not well received and it seemed none
of the platform developers were willing to discuss a solution.

If there is ongoing work to implement something like this then I'd
like to know about it.  If there are key issues impeding such a
necessary solution, then I'd like to know about it as well so we can
help fix them.  If people don't agree it's a good idea, we should talk
about it in order to come up with an ideal solution.

The lack of such control makes it difficult for me to trust many of
the apps in the market.  That's bad for Android.

So let's hear some discussion.



applications requiring excessive permissions

by Jeremy Gray » Wed, 11 Feb 2009 04:35:42 GMT

 Agreed. All of these considerations and more already have to be
accounted for when doing (for example) desktop development (in my
case, most often using frameworks like .NET with its CAS model) so I
don't see this kind of capability (and the effort required to take
advantage of it) putting anything unnecessary in the way of an Android
app developer.


applications requiring excessive permissions

by Mike Hearn » Wed, 11 Feb 2009 19:00:34 GMT

 > I tried to initiate a discussion about this a while back but got

Keep going :) It's not that they are unwilling, it's just that this
type of security system is quite new, and nobody really knows what
will work well. There's plenty of scope for reasonable people to
disagree here.

The main problem I see with optional enabling/disabling of permissions
is that it'd be backwards-incompatible, that is, apps are designed on
the assumption that if they ask for a permission at install time, they
get it, and if you then throw an exception when they try to use that
permission today apps will just crash. So apps would have to be marked
as opting-in to this scheme, and the developer would have to choose
which permissions could be selectively denied.

This might still be worth doing. But we should recognize that this
kind of fine grained control is sort of a power user feature, and
isn't going to help a lot of people who will just click "install", get
screwed and then be pissed off when people say, well gosh, why didn't
you think to disable that permission you silly person! So if there are
better solutions we should persue them first.

For instance, providing an explanation for why a permission is
required would solve a lot of problems here.

Another one is to actually eliminate the need for some permissions
entirely through smarter sandboxing. Is it really helpful to have a
"allow internet access" permission for instance? What harm can this
do? The main problem is that an app may burn through a ton of airtime
quota without the user realizing it, so if that's the problem we want
to solve, then this permission should really be more sophisticated -
rephrased in terms of quota usage perhaps, with most apps usage
falling below the line where a permission request is necessary. Then
the majority of apps would not need to request internet access, except
for some (like net radio streamers? video downloaders?) that would
still need to prompt lest they get throttled.

"Prevent phone from sleeping" could be rephrased as a quota permission
in the same way. The nice thing about this approach is that it's
backwards compatible and takes no real effort from developers. They
can (in the majority case) just remove the permission request entirely
from their manifest.

The final problem is where apps have surprising behavior, like
uploading your GPS location to a public website. In this case I think
a better ratings/reviews system would be a better solution than trying
to make the permissions system more complicated, given that people
generally understand their own language better than convoluted
security systems. In this case, rather than try and create a system
that would stop an app uploading your position to the web (which is
impossible anyway), just give that app a negative review and say why.
The fact that the current markets review system isn't that great is
just something that Google should fix :)

Other Threads

1. OOT rooting webOS

Ada yg tahu info root palm pre ? Sorry jika salah room.

Saya tahu di sini bnyk master yg sanggung menjawab pertanyaan saya.

Terima kasih

Let's your mobile device make it simple..

"Indonesian Android Community [id-android]" 

2. X co-ordinate and y co-ordinate, where my view is drawn in screen

use getLocationOnScreen



3. Semi-urgent request for testing help re. my BBC News app

4. Apk WTA Better Keyboard

5. CM 4.2.15

6. How to programmatically disable the the virtual keyboard !!!

7. Collect information on apps