{"id":3489,"date":"2016-03-03T12:50:49","date_gmt":"2016-03-03T18:50:49","guid":{"rendered":"https:\/\/justinparrtech.com\/JustinParr-Tech\/?p=3489"},"modified":"2016-05-12T21:36:39","modified_gmt":"2016-05-13T02:36:39","slug":"why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed","status":"publish","type":"post","link":"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/","title":{"rendered":"FIXED: Why the Android Permissions Framework Makes Android Unsafe, And How It Can Be Easily Fixed"},"content":{"rendered":"<p><strong>Note:\u00a0 This post was written PRIOR to Android 6.0 &#8220;Marshmallow&#8221; &#8211; please see the updates below for more details.\u00a0 &#8220;Marshmallow&#8221;, by and large CORRECTLY handles app permissions.<\/strong><\/p>\n<p>When you download an Android app, you are presented with a list of permissions that the application requires in order to run.<\/p>\n<p>You can either accept all of the permissions as stated, or cancel the installation &#8211; there is no middle ground.<\/p>\n<p>This approach makes Android generally untrustworthy, but there is a simple way to fix it.<\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#the-android-permissions-framework\" >The Android Permissions Framework<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#the-problems-with-android-permissions\" >The Problems With Android Permissions<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#all-or-nothing\" >All or Nothing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#not-all-permissions-are-created-equal\" >Not All Permissions are Created Equal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#every-permission-could-be-exploited\" >Every Permission Could Be Exploited<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#the-current-permission-framework-erodes-trust\" >The Current Permission Framework Erodes Trust<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#its-only-going-to-get-worse\" >It&#8217;s Only Going to Get Worse<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#a-better-approach\" >A Better Approach<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#it-could-be-confusing-or-annoying\" >It Could Be Confusing or Annoying<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#it-could-break-the-application\" >It Could Break the Application<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#reputational-impact\" >Reputational Impact<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#intransigent-developers\" >Intransigent Developers<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/why-the-android-permissions-framework-makes-android-unsafe-and-how-it-can-be-easily-fixed\/#a-return-to-trusted-computing\" >A Return to Trusted Computing<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>&nbsp;<\/p>\n<blockquote><p><strong>Update: 5\/2016<\/strong>:\u00a0 So apparently, apps written for Android 6 already implement flexible permissions.<\/p>\n<p>In settings&#8230;apps, click on an app, and then click &#8220;permissions&#8221; to turn individual permissions on or off.<\/p>\n<p>Well&#8230; that pretty much addresses my concerns.<\/p>\n<p>After using &#8220;Marshmallow&#8221; for almost a month now, I&#8217;m quite happy with it.\u00a0 With pure glee, I neutered many of the &#8220;bundled&#8221; apps by revoking all of their permissions.<\/p>\n<p>There are still THREE improvements that could be made:<\/p>\n<ol>\n<li>I&#8217;m paying a ton of money for the device, and ostensibly, I own it.\u00a0 I should be able to remove ANY bundleware app that I choose, even if it&#8217;s built in to the ROM image.\u00a0 If you &#8220;root&#8221; your phone (run 3rd-party scripts to obtain &#8220;root&#8221; privileged access to the device), you can remove all of the bundleware, but why should I have to go through the hassle, and put myself at risk in the process?\u00a0 &#8220;Rooted&#8221; devices are much more likely to get infected with a virus or nasty malware.<\/li>\n<li>The whole permissions scheme is somewhat silent to the uninitiated.\u00a0 If you install a written-for-6 app on to a Marshmallow device, you get NO permissions prompt &#8211; you get a pop-up stating that permissions can be individually granted when the app requests them.\u00a0 It does NOT explain how to go in and edit individual permissions, nor does it prevent an app from being installed with too many permissions &#8211; the user must go in and modify permissions AFTER installation.\u00a0 A better approach is to have an &#8220;advanced&#8221; permissions button where the user can access a dialog in order to edit permissions BEFORE the app is installed.\u00a0 Although apps don&#8217;t typically launch automatically, if a malicious app wants to snarf up your contacts or other personal data, there&#8217;s ample opportunity to accidentally allow that to happen before you can yank its permissions.<\/li>\n<li><strong>Some permissions can&#8217;t be disabled.\u00a0<\/strong> For example, some apps launch or require the &#8220;google games&#8221; app &#8211; it would be nice to completely disable these annoying pop-ups, or to completely disable in-app purchases, for example, on a child&#8217;s phone.\u00a0 Every permission should be able to be individually disabled.\u00a0 In addition, it would be nice to be able to set a global device policy that disables (or enables) a permission for all apps &#8211; for example, globally disabling access to contacts, and then individually granting permissions for specific apps would be my preference, rather than having to go in and perpetually disable this permission for every new app that wants it.<\/li>\n<\/ol>\n<p><strong>Update: 4\/2016<\/strong>:\u00a0 It appears that Marshmallow, released in October, 2015 PARTIALLY addresses my concern.<\/p>\n<p>Marshmallow (Android 6.0) allows you to <strong>revoke specific permissions<\/strong> for each application &#8211; the residual risk is that a malicious app could do harm AFTER it&#8217;s installed, but BEFORE you can revoke its permissions.\u00a0 So, there is still validity to the concern that I&#8217;ve outlined below.<\/p>\n<p>Furthermore, after upgrading my LG G3 from Kit Kat (4.4) to Marshmallow (6.0) today, I&#8217;m shocked at the mandatory crapware pushed down with the LG image, who then sends it off to the carrier (AT&amp;T, in my case), who then adds more crapware.<\/p>\n<p>In Kit Kat, I could disable the &#8220;LG Health Tracker&#8221; app &#8211; no such luck!\u00a0 It&#8217;s on, and can&#8217;t be uninstalled or disabled.\u00a0 Fortunately, I stumbled upon the permissions hack, and simply neutered it by removing all of its permissions.<\/p>\n<p>On top of LG blatantly spying on me, AT&amp;T installed &#8220;AT&amp;T Remote Assistant&#8221;, Wild Tangent gaming, and a bunch of other crapware, above and beyond the crapware that was installed with Kit Kat.\u00a0 All of this has to be disabled or neutered so that it doesn&#8217;t soak up my data and send it &#8220;in to the cloud&#8221;.<\/p>\n<p>The ever-increasing trend toward &#8220;mandatory&#8221; spyware deployed by the manufacturers and carriers, competing to steal your personal information, makes the permissions debate ever-increasingly important.<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"the-android-permissions-framework\"><\/span>The Android Permissions Framework<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Today, when you install an application from Google Play, you get a prompt listing the permissions needed by the application, and you&#8217;re provided the opportunity to accept the permissions (in total) or cancel the installation.<\/p>\n<p>When an application is updated, you are prompted to accept any changes to those permissions.<\/p>\n<p>Without enumerating every single permission, each typically allows the application in question to access or manipulate a specific piece of hardware on the phone, such as the camera or microphone, or a specific set of data, such as contacts, text messages, or the ability to write files to the storage card.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"the-problems-with-android-permissions\"><\/span>The Problems With Android Permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Android Permissions Framework has some serious problems.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"all-or-nothing\"><\/span>All or Nothing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>As discussed, permissions are an all-or-nothing proposition. \u00a0Because of this, the user is forced in to a complex trade-off scenario, where he or she may not understand the full impact of accepting the proposition.<\/p>\n<p>On the one hand, the application might be fun or beneficial.<\/p>\n<p>On the other hand:<\/p>\n<ul>\n<li>It could be insecure, meaning that the app itself could be hacked, and then the permissions already granted to it could be subverted for malicious use.<\/li>\n<li>The app could be quasi-ethical &#8220;spyware&#8221;, designed to copy your personal data &#8220;in to the cloud&#8221;, where it can subsequently be sold, stolen, or exploited by a malicious third party.<\/li>\n<li>The app itself could be written by a malicious developer, specifically to create malicious hooks intended to compromise the device or send personal data directly to the attacker.<\/li>\n<\/ul>\n<p>The user has no frame of reference to use, to actually determine if the application can be trusted.<\/p>\n<p>Some common questionable scenarios include:<\/p>\n<ul>\n<li>Version x of the application is free, and requires no permissions. \u00a0An update, version y comes out, is now ad-supported, and requires access to device information, contacts, browser history, and all sorts of potentially-sensitive information. \u00a0At best, the ad company is building a more accurate profile using aggregate data, but anything that exists in the cloud can be hacked and stolen from the cloud.<\/li>\n<li>Really Cool Game requires access to your camera and microphone as part of the game&#8217;s functionality. \u00a0Hopefully, the developer is legitimate, and the code only uses its access for the specified purpose, but in theory, a malicious app could be listening and watching all the time, once granted permissions to do so.<\/li>\n<li>Useful App requires ALL permissions. \u00a0The developer could be naive or simply inexperienced, and may be asking for more permissions than are really required. \u00a0On the down side, crappy coding and surplus permissions means that the app could be hacked and used as an attack vector.<\/li>\n<li>Awesome Keyboard allows you to type much faster, and it has all sorts of emojis. \u00a0It also has access to every keystroke you type. \u00a0Every time you text your wife or log in to e-mail, you get a slight twinge of anxiety, because you know that Awesome Keyboard\u00a0<em>could<\/em> have been written by criminals, and could be silently siphoning everything you type to an offshore server where someone will attempt to use it against you later.<\/li>\n<\/ul>\n<p>The all-or-nothing permissions framework obscures the trade-off as well as the true value proposition offered by the application, and is skewed against the user.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"not-all-permissions-are-created-equal\"><\/span>Not All Permissions are Created Equal<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Some permissions are very straightforward, for example, use of the camera means exactly that &#8211; the application can use the phone&#8217;s camera hardware for several specific purposes. \u00a0Or &#8220;send a text message&#8221;, which literally gives the application the ability to send a text message.<\/p>\n<p>However, if the application has to write files outside of its private application folders, it needs the &#8220;External Storage&#8221; permission. \u00a0This pretty much gives the application free reign to read the &#8220;gallery&#8221; (photos and videos), private audio recordings, and literally anything stored on the SD card, without restriction.<\/p>\n<p>Some applications request permission to read the phone&#8217;s log files &#8211; as stated above, this could be a simple developer mistake, HOWEVER, those log files contain tons of information about the phone, what applications are launched when, and could contain personal information as well.<\/p>\n<p>Either through poor development, questionable ethics, malicious intent, or legitimate functionality, asking for more permissions than are required means that the application could have access to a lot more than either the developer or the user intends.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"every-permission-could-be-exploited\"><\/span>Every Permission Could Be Exploited<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Every permission granted to the application could be used as an attack vector:<\/p>\n<ul>\n<li>If the application itself is malicious, the attacker has direct access once the user accepts the permissions. \u00a0More permissions means more access to the device, as well as the user&#8217;s personal information.<\/li>\n<li>Poorly-written applications could be exploited, and then the attacker can leverage all of the application&#8217;s permissions to steal information or further compromise the device.<\/li>\n<li>Ad software often asks for some fairly dubious permissions &#8211; in some cases, the adware may be using that information to create a profile of the user (ethically-questionable), or it could be blatantly copying gigabytes of your personal data in to the &#8220;cloud&#8221; where they intend to sell it, but someone else could hack in and steal it. \u00a0Or, it could be misconfigured permissions within the application &#8211; let&#8217;s face it, Marketing people are not the most competent software developers, and you&#8217;re going to have to scrape the very bottom of the barrel to find developers whose ethics are questionable enough that they are willing to write adware or spyware..<\/li>\n<li>Hardware permissions, on the one hand, can support\u00a0useful application functions, or on the other hand, can be used to monitor the user without their knowledge.<\/li>\n<li>Data permissions can often be exploited to gain access to more information than either the Developer or User intends.<\/li>\n<li>Device roles allow the application to interact with the device in certain ways, such as starting services that run in the background whenever the device is turned on. \u00a0On the one hand, a service like this could provide useful reminders and automatically update information. \u00a0On the other hand, it could be used to monitor every activity the user performs on their phone.<\/li>\n<\/ul>\n<p>More permissions means a greater likelihood that a malicious application or attacker could compromise the device or the user&#8217;s personal information.<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"the-current-permission-framework-erodes-trust\"><\/span>The Current Permission Framework Erodes Trust<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Both the carriers and the handset manufacturers are paid by developers to include certain applications in their base image &#8211; these applications are &#8220;locked&#8221; and can&#8217;t be uninstalled. \u00a0In some cases, they can&#8217;t even be stopped or disabled!<\/p>\n<p>If one of these applications happens to snarf up your personal information without your consent, so be it.<\/p>\n<p>Likewise, selling YOUR personal information is big business for both the carriers and the handset manufacturers&#8230;<\/p>\n<p>There have been recent incidents in the laptop world where this practice has directly resulted in spyware being pre-installed &#8211; <a href=\"https:\/\/www.google.com\/search?q=lenovo+spyware\" target=\"_blank\">Lenovo has been caught 3 times pre-installing spyware<\/a>.<\/p>\n<p>In the phone world, the handset manufacturers take a base Google image, and heavily customize it. \u00a0The first thing to go is the &#8220;stock&#8221; user interface &#8211; replaced by home screens, keyboards, and other UI elements that are proprietary to the manufacturer, yet they see every application you launch, and every keystroke you type, and there is no real way to determine what information is being collected by the manufacturer under the guise of &#8220;usage data&#8221; designed to &#8220;help developers&#8221; &#8220;better understand&#8221; their &#8220;target user base&#8221;.<\/p>\n<p>Once the carrier gets its hands on the device, they install more crapware, and in some cases, they even <a href=\"https:\/\/www.google.com\/search?q=carrier+iq\" target=\"_blank\">install spyware<\/a>. \u00a0Some carriers have their own messaging apps, or address book plugins that are designed to &#8220;sync with the cloud&#8221; &#8211; again, anything that exists &#8220;in the cloud&#8221; can be deleted or stolen, and YOUR &#8220;anonymous usage data&#8221; can be collected and sold.<\/p>\n<p>None of this is speculation &#8211; all of these practices are in full swing\u00a0as we speak, and\u00a0there are no laws and no ethical barriers to protect the user. \u00a0All of this happens legitimately within Android&#8217;s permissions framework because the permissions were put there as part of the handset image, which gets loaded to every device before it leaves the manufacturer or carrier facility.<\/p>\n<p>Given all of these factors, how can you possibly enter a credit card number or your online banking password?<\/p>\n<p><strong>The simple answer is that you shouldn&#8217;t! \u00a0I don&#8217;t!<\/strong><\/p>\n<p>As a matter of fact, I&#8217;ve had some very sketchy incidents occur with Android:<\/p>\n<ul>\n<li>I picked up my first Android device in 2011. \u00a0I&#8217;ve been a long time LinkedIn user, so I immediately downloaded the LinkedIn app. \u00a0The permissions included access to my contacts, which I just happened to synchronize through the Mail application with my e-mail contacts. \u00a0This effectively gave LinkedIn access to all of my e-mail contacts, which it immediately snarfed up, and uploaded to &#8220;the cloud&#8221;. \u00a0A few days later, I started seeing &#8220;Do you know this person?&#8221; prompts for my personal contacts. \u00a0It turns out, I uninstalled the LinkedIn app, I was able to sever LinkedIn&#8217;s access to my contacts and summarily delete everything LinkedIn had snarfed up, but we all know that nothing in the cloud is ever really deleted. \u00a0LinkedIn thought it was being helpful, as its developers had designed it to do, but it did things that I didn&#8217;t\u00a0<em>want<\/em> it to do, and I didn&#8217;t have the ability to stop it.<\/li>\n<li>The only two times that I suspected\u00a0my e-mail had been hacked, I saw suspicious behavior just after installing some sketchy application on my phone &#8211; who knows whether those incidents were coincidence or not, but I changed my e-mail password immediately, and uninstalled any app that I though might be capable of accessing my e-mail. \u00a0I checked the list of devices that had accessed my e-mail, and of course, one of those was my phone &#8211; I sync my personal e-mail to my personal phone, so that makes sense. \u00a0However, who is to say that some well-intentioned or possibly even nefarious program &#8220;tickled&#8221; my e-mail to see what was out there, running right from my phone.<\/li>\n<li>I&#8217;ve had situations where my contacts get annihilated or duplicated because everything tries to get access to your contacts, and some poorly-written piece of carrier-installed crapware didn&#8217;t synchronize them properly.<\/li>\n<\/ul>\n<p>With so little trust for the Android platform, how do you get anything done?<\/p>\n<p>The answer is that I only leverage relationships that were established on a\u00a0<em>trusted<\/em>\u00a0laptop, and then carry those relationships over to the handset.<\/p>\n<ul>\n<li>The only stuff I buy online from my phone is stuff where the website already has my credit card number.<\/li>\n<li>I do not bank from my phone.<\/li>\n<li>I use an e-mail anonymizer, to make my e-mail harder to hack, and so that I&#8217;m not using the same username and password for every website.<\/li>\n<\/ul>\n<p>But that&#8217;s not the real problem.<\/p>\n<p>The real problem is that there is no &#8220;Google Approved&#8221; seal of approval, no vetting system (Google Play does automatically scan for &#8220;malicious looking&#8221; code), and no peer review to ensure that security and quality standards are upheld.<\/p>\n<p>When presented with a new application, the user can look at how many times the app has been downloaded, and its rating, and that&#8217;s about it.<\/p>\n<p>As a developer, the only thing you&#8217;re required to provide to Google when you publish an app is your e-mail address. \u00a0That literally means that anyone with an e-mail address can publish anything they want.<\/p>\n<p>The only check and balance is the user community itself &#8211; the thought process is that obvious scams will be rated low, and immediately flagged to Google for violating terms of use.<\/p>\n<p>The problem is that there might be a great app out there, that works well, it&#8217;s fun to use, and oh, by the way, it also includes a malicious spyware module. \u00a0In this situation, you can&#8217;t tell that it&#8217;s malicious, because the deception isn&#8217;t obvious, and no one has really checked. \u00a0So, if this hypothetical app gets a few downloads and a couple of 4-star ratings, then as a potential user of the app, you would never know that it&#8217;s malicious.<\/p>\n<p>As a matter of fact, one of the problems with Google Play that has recently come to light, is that criminals are downloading a legitimate app with few permissions, adding their own malicious code, and simply re-publishing the EXACT SAME APP under a slightly different name. \u00a0If I see two apps that are similar, and both LOOK the same, I might click on either one&#8230; One of them is loaded with malware, and the other is legitimate, and there&#8217;s no way to tell the difference.<\/p>\n<p>What this boils down to, is that you never know what you&#8217;re going to get. \u00a0Your brand new phone could be loaded with spyware before you even open the box. \u00a0You could download an app at any time that ends up compromising your information, and maybe even leads to someone stealing your identity and personal information.<\/p>\n<p>So, although the Android permissions framework absolutely does create transparency about what the application can do, and what information it can access, the framework itself can&#8217;t convey the developer&#8217;s intent, nor provide assurance to the user that those permissions will be used appropriately.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"its-only-going-to-get-worse\"><\/span>It&#8217;s Only Going to Get Worse<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Fitness trackers are all the rage&#8230;<\/p>\n<p>They constantly measure your heartbeat, blood pressure, and other biometrics &#8220;so that you can be more healthy&#8221;.<\/p>\n<p>Imagine a scenario where ad companies have access to that data &#8211; they can literally start to record which images and activities get your blood pumping faster, and they can create dynamic\u00a0advertising that&#8217;s tailor-made to manipulate YOU, personally, based on what they know gets you excited.<\/p>\n<p>This isn&#8217;t even close to ethical, and as phones roll out with new features and capabilities, the possibility for abuse only increases.<\/p>\n<p>The rate at which personal data is flying off of these devices puts the <a href=\"https:\/\/www.google.com\/?gws_rd=ssl#q=apple+fbi+case\" target=\"_blank\">FBI vs. Apple<\/a> case in to a new perspective &#8211; who cares if the device itself is encrypted, because most of the data you actually need is probably accessible from &#8220;the cloud&#8221;,\u00a0uploaded\u00a0there, possibly without the user&#8217;s knowledge, consent, or input.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"a-better-approach\"><\/span>A Better Approach<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As we&#8217;ve discussed, the current permission framework requires the user to wholly accept and grant ALL permissions, or cancel the installation &#8211; all-or-nothing.<\/p>\n<p><strong>A better approach is to allow users to grant individual permissions for each application.<\/strong><\/p>\n<p>At first this appears chaotic, and possibly even ineffective, but let&#8217;s delve in to this approach a bit deeper.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"it-could-be-confusing-or-annoying\"><\/span>It Could Be Confusing or Annoying<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>To some users, this approach might be annoying &#8211; having to review each permission for each application.<\/p>\n<p>Remember that the application itself can request whatever permissions the developer intended, and the user still has the option to &#8220;blindly accept&#8221; them.<\/p>\n<p>For the subset of users who might find this approach confusing or annoying, they can simply click-and-accept the proposed permissions as stated by the developer, which is the same experience they have today.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"it-could-break-the-application\"><\/span>It Could Break the Application<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Removing permissions means that the application as written will fail or crash when it attempts to perform certain functions.<\/p>\n<p>The applications must be written with alternate code blocks to accommodate the lack of each specific permission.<\/p>\n<p>For example, if the user denies access to contacts, the application should prompt for a phone number or e-mail address. \u00a0If the user finds this annoying, the trade-off is that they can elect to allow the application to access contacts, and now the application allows the user to select from the contacts instead of being presented with a simple dialog box.<\/p>\n<p>Each permission should be implemented as two separate code blocks, allowing the entire application to be minimally installed and effective with zero permissions.<\/p>\n<p>Each application should have a policy outlining each requested permission, and the functionality unlocked when each permission is enabled.<\/p>\n<p>For example, a photo indexing app might be completely useless without access to external storage (SD card). \u00a0The app should at least be installable WITHOUT SD card permissions. \u00a0The user interface could simply prompt the user for access to the SD card, which would then trigger a permission change. \u00a0If the user opts NOT to allow access to the SD card, the application simply sits there. \u00a0The user then has the option at some point, to either allow access or uninstall the application.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"reputational-impact\"><\/span>Reputational Impact<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>As a developer, you want a high rating for your application.<\/p>\n<p>Users who install the application, yet decline all the permissions might be left with minimum functionality, and therefore rate the application lower than expected.<\/p>\n<p>This type of reputational impact can be mitigated by associating a permission matrix with the rating itself &#8211; this ties the user experience directly to the permissions the user enabled.<\/p>\n<p>A potential user can then see, for example, that users who enabled fewer permissions rated the application lower, and users who enabled more permissions had a more positive user experience.<\/p>\n<p>In this approach, a &#8220;1 star&#8221; rating has much less impact, and provides potential users with more information about how permissions affect the app&#8217;s user experience.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"intransigent-developers\"><\/span>Intransigent Developers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Although a stubborn developer could simply refuse to enable any functionality unless ALL minimum permissions are granted, there will always be a competitor who is willing to provide the same functionality with fewer permissions.<\/p>\n<p>This effectively turns trust in to a commodity &#8211; users can choose which apps they trust, which in turn, will drive popularity.<\/p>\n<p>Likewise, stingy developers will be difficult to trust, and therefore, there apps will be less popular.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"a-return-to-trusted-computing\"><\/span>A Return to Trusted Computing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>For Android to be useful, it must be trusted.<\/p>\n<p>The current, messy state of affairs makes it impossible to trust anything you download, and even to trust the applications that come pre-loaded by the manufacturers and carriers.<\/p>\n<p>I do my banking and online transactions from a Windows 7 or Debian laptop running virus protection and a modern, secure browser. \u00a0I scan my systems periodically for spyware, and I keep their patches up to date.<\/p>\n<p>Neither Windows 7 nor Debian is going to anonymously collect data about me, and send it to &#8220;the cloud&#8221; where it&#8217;s supposedly securely stored &#8220;for my benefit&#8221;.<\/p>\n<p>I KNOW I can trust these machines.<\/p>\n<p>What&#8217;s sad is that I can&#8217;t trust my own cell phone.<\/p>\n<p>As the user community\u00a0wants to move toward better security, such as new ways to perform secure payment transactions, and better privacy to prevent identity theft, these goals are simply undermined by Android&#8217;s current permission scheme and app ecosystem.<\/p>\n<p>A better approach is to give users the ability to remove ANY application, or at least remove all of the permissions for every application, and to trade functionality for individual permissions, which offers a clearer value proposition to the user.<\/p>\n<p>For a computing device to be useful, it has to be trusted. \u00a0Rebuilding that trust starts with changing Android&#8217;s permission framework.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Note:\u00a0 This post was written PRIOR to Android 6.0 &#8220;Marshmallow&#8221; &#8211; please see the updates below for more details.\u00a0 &#8220;Marshmallow&#8221;, by and large CORRECTLY handles app permissions. When you download an Android app, you are presented with a list of permissions that the application requires in order to run. You can either accept all of [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,17],"tags":[],"class_list":["post-3489","post","type-post","status-publish","format-standard","hentry","category-analyses-and-responses","category-good-design-bad-design"],"_links":{"self":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/3489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/comments?post=3489"}],"version-history":[{"count":10,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/3489\/revisions"}],"predecessor-version":[{"id":3572,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/3489\/revisions\/3572"}],"wp:attachment":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/media?parent=3489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/categories?post=3489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/tags?post=3489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}