
Hidden “App Ops” Feature in Android 4.3 Lets You Disable Permissions From Apps - radley
http://www.droid-life.com/2013/07/26/hidden-app-ops-feature-in-android-4-3-lets-you-selectively-disable-permissions-from-apps/
======
JoshTriplett
Cue the piles of posted code snippets on StackOverflow and similar to
uselessly error out on startup without the full set of requested permissions.

Well-behaved apps won't ask for permissions they don't need anyway, and badly-
behaved apps will simply refuse to run without all the permissions they (and
their ad services) request.

Without the ability to pretend to have the permission but not actually provide
useful data, this really won't help much.

On the bright side, at least a subset of these _do_ behave in the sensible
way: various reports suggest that calendar and contact accesses will
successfully return empty results rather than erroring out, for instance.

~~~
bnr
There are some valid use cases for this. "Read All Contacts" is often required
to optionally invite your friends. "List running Apps" for crash-reports.

~~~
cmircea
Why can't some permissions be prompt-based, instead of always giving access to
apps? Say for contacts, if you want to invite friend you'll allow access to
contacts just now.

~~~
graue
This is what Mozilla does lately with new HTML5 capabilities in Firefox (e.g.
desktop notifications, camera access, location access, local storage), and
presumably is also how Firefox OS works. I agree, it's a nice way to do
things.

~~~
mh-
for that matter, it's also how Chrome/Chromium/Chrome OS work.

------
mynewwork
Fantastic. I barely have any apps on my phone because I refuse to accept the
egregious abuse of privacy (why does Pandora or Yelp need to access my
contacts etc). Recently some friends recommended WhatsApp, but after seeing
the massive wall of permissions it was requesting, I didn't install.

I've been waiting for this feature since the day I got my first android phone.

~~~
rogerbinns
What I really hate is that you can pay for and install an app with an
acceptable set of permissions, and then later the developer can add new
unacceptable permissions essentially changing the product you bought. You can
try to defer installation of the new version for a while, but it gets
increasingly difficult.

I am of the opinion you should be offered a refund/uninstall if new
permissions get added. Or have a way of disabling them like the posting is
about.

------
keltex
It would be nice if there was also a "simulate" option for some permissions.
That way the app would think it has a permission when it doesn't. It could
return an empty phonebook for contacts or random location for GPS or confirm a
SMS was sent when it never went out, etc.

~~~
eigenvector
That's exactly what Privacy Guard in CM does.

[https://plus.google.com/+CyanogenMod/posts/86LLXrDpVWY](https://plus.google.com/+CyanogenMod/posts/86LLXrDpVWY)

~~~
derleth
Too bad CyanogenMod itself phones home to tell the developers about you.

~~~
yareally
Only if you opt into it. It's an option under settings. They also tell you
what they're sending. If you're truly paranoid, just block Google Analytics in
your host file. That's all they're using.

~~~
derleth
No, it's opt-out, unless the developer's changed his mind:

[http://www.androidpolice.com/2013/04/03/cyanogenmod-will-
no-...](http://www.androidpolice.com/2013/04/03/cyanogenmod-will-no-longer-
allow-opting-out-of-cm-stats-cyanogen-says-to-chill/)

And, if he does change his mind, it's more likely to be to remove the opt-out
feature.

People don't expect Free Software to phone home like common malware. It's
shocking. That's why I mentioned it.

------
StavrosK
This is an absolutely amazing feature. I've yearned for this for years, I hope
it will arrive soon. Some apps just don't need the permissions they request,
or I don't want to give them, or I don't want to use the functionality that
needs it. This would allow me to disallow my bookmarking app from reading my
contact list.

Fantastic.

------
bowmessage
I really like that Google have added this feature, but unfortunately I don't
see it helping things much. I'm willing to be that many of the applications
requesting odd and unnecessary permissions will be rewritten to simply not
work when any one of those permissions aren't granted to them.

~~~
sp332
Many programs already won't work since they assume that they have the
permissions they asked for.

~~~
toomuchtodo
Heaven forbid your app does error checking!

~~~
sp332
It does error checking. Would you write a program that constantly checks the
config file to see if something changed, or to see if the euid it is running
as suddenly changes? Of course not, why would you? And why would an Android
app constantly check to see if the permissions it has been granted are
suddenly un-granted?

More to the point: why would an app ask for permissions it didn't need in the
first place? The most likely thing to happen is that the app would be useless.

~~~
king_jester
Android as a framework is designed in such a way that most of the times you
wish to access a feature of the device requires a permission you should be
using components that can enforce a security check with the PackageManager or
can handle the SecurityExceptions generated from not having a permission.
Poorly architect-ed apps will have an issue with this, but those apps already
have problems.

~~~
veeti
No. The Android API has always given the guarantee (and it still does) that
your application's permissions will always be there. They can't be revoked
during runtime. If it's in the manifest, it's perfectly fine to assume that
you have it.

No piece of documentation or sample code has ever encouraged a pattern of
"checking if your app has permission X or Y" because it's a total waste of
time. Likewise, none of the built-in Android apps or any of the open-source
apps from Google developers I've seen do that. There is no point to doing so.

In fact, it's actually bad practice because you're adding a bunch of error
checking code for an error condition that's never going to happen. If you're
getting a SecurityException for an action that you've explicitly requested the
permission for, you're running on a broken API and it's not your
responsibility to handle that.

The framework does include methods for checking permissions, but they are
generally meant for things like inter-process communication and library code.
There's no need to use them for ordinary applications you are building
yourself. And nobody does that, rightfully so.

~~~
king_jester
I'm not suggesting that apps do this or even if it is a good idea to have this
level of security checks in code. Rather, the Android framework encourages
decentralized pieces of code that revolve accessing various capabilities of
the API. The kind of paradigms in Android could be considered to be already a
bit helpful in that they promote certain kinds of application architecture
that may be more easily adapted to doing such security checks.

Ultimately it is a matter of time before something like this does make its way
into the core features of Android. It is worth thinking about how Android is
both deficient and helpful with its design philosophy regarding that
eventuality.

------
Zigurd
This is a good way to introduce this feature.

Developers: You are now on notice to handle SecurityException and fail soft.
in most cases, this should be easy to do, and when it isn't, you can, at
least, post a dialog that says" "This app really needs SOME_PERMISSION in
order to run."

But since it is hidden, you are not on the hook, yet, to support users that
start making use of this feature.

------
kefs
More info for devs from Mark Murphy/Commonsware:

[http://commonsware.com/blog/2013/07/26/app-ops-developer-
faq...](http://commonsware.com/blog/2013/07/26/app-ops-developer-faq.html)

------
dman
This removes one of my pet peeves about android. Now please allow users full
control over uninstalling non system applications. I hate that I cannot
uninstall Facebook and Twitter on my HTC one. My past Droid Charge by Samsung
(on Verizon) was even worse since it installed a whole bunch of useless
applications that I had no way to uninstall. I hated that phone every single
time I used it.

~~~
zachlatta
That's on your carrier/manufacturer, not part of Android itself.

~~~
dman
It shouldnt be on the carrier / manufacturer. Whats innately different about
the software on phones as compared on Windows / OSX / linux ... that the user
cant be trusted with administrative rights on their machine?

~~~
archivator
Uhm, yes, that, precisely. Most of Android is on a level playing field - core
framework services get elevated permissions under the system group but __they
're still apps __. If you let the user uninstall them, all hell __will __break
loose. It 's like removing the svchost.exe process in Windows. Or removing
/bin/sh in Linux. The rest just doesn't work without it. Things like Contacts,
Calendar storage, Bluetooth, Play Store, Google Backup, etc, etc, are all in
/system/app, where manufacturers also put their apps.

If you ask me, manufacturers should be prohibited from adding to /system/app
but that's not how the Android licensing works. So, we get un-uninstallable
apps (vote with your wallet - buy only Nexus experience!).

~~~
dman
Learning the nexus lesson slowly.

------
Zikes
This is exactly the feature I've been waiting for to update my old Facebook
app install. Ever since they launched FB Home, the normal Facebook app has
asked for exorbitant permissions including the ability to see all the apps I
have installed and running and even draw on top of them. I've refused to
update to that version because I don't want to use Home, and those permissions
could easily have been restricted to just the Home application.

As others have mentioned I'm sure some app developers will resort to just
erroring out if they can't access something they asked permission to access,
but hopefully we'll be able to shame the bigger players away from that.

------
hansjorg
This looks very useful. The Android permission system is pretty good from a
technical point of view, but since a lot of apps just require all permissions
regardless, and people are trained to disregard this when installing, it's
almost moot.

I wonder if Google is using requested permissions in Play rankings. The apps
which require _all_ permissions should definitely be ranked lower.

~~~
Zigurd
This lets you take those permissions away retrospectively. In many cases I
suspect you will find it is a free app's ad network that's asking for
ridiculous permissions, e.g. access to location in a flashlight app.

Google is probably reluctant to do things that "harm" competing ad networks
for fear of getting sued.

~~~
barend
It would make little sense for the finished feature to work retrospectively;
apps would just grab the bounty on first launch and then the harm is done
before you can get to the settings screen. This looks more like the screen
you'd go to if you change your mind about an app. I expect the primary control
for this feature to be a just-in-time dialog, similar to permission popups on
iOS.

------
krakensden
Didn't Google threaten to pull CyanogenMod's ability to distribute Google Play
for implementing the same thing a while back?

~~~
andybak
Citation needed?

------
gcb0
Being stuck with old phones has its advantages. My phone only runs CM7, which
has this very same feature for some 2yrs.

It's called app goggles or something.

I block internet access to lots of apps thatdo not need,it. And most of them
crash when they try to use it.

Eg. Swype tries to connect every time i reboot my phone. Not sure if they are
just checking for updates or uploading my personal dict, but since it doesn't
try to upload anything while I'm actually writing, i just watch it die every
reboot and that is it.

Almost all games i tried i removed access to see running apps and contact
list. Very few crashed, meaning they probably expose those api to ads, and
they are not using them yet.

------
jhome
Permissions is the reason why I do not have Facebook installed (specifically
the GPS).

