
Android permissions and hypocrisy - robin_reala
http://mjg59.dreamwidth.org/46403.html
======
sschueller
Any app can capture everything you put in your android clipboard and it does
not need to ask for permission to do it.

So don't copy passwords into your clipboard!

~~~
izacus
Hmm, I know iOS allowed that as well for a long while (basically free-for-all
access to the pasteboard). Was that fixed in later iOS versions?

~~~
0x0
It's even worse with Universal Clipboard, the feature that seamlessly shares
your active clipboard between your mac and iOS devices. I have seen the
official Facebook iOS app trigger a "Pasting from <mac-hostname>..." spinner
when starting up, because Facebook silently steals your clipboard on
startup/resume, and they are probably an API that happens to now possess
Universal Clipboard powers and thus are triggering a clipboard content pull
from the mac.

~~~
retox
I'm still astonished people on HN trust Facebook enough to have any of their
apps installed. Since day one their developers have shown complete disregard
for users privacy.

~~~
xenophonf
I didn't really think about it until the iOS Facebook app helped itself to my
Christmas morning photos this year. I had assumed that Apple had stronger
protections in place for users' content. It's one thing to say in an alert or
popup or something "did you take photos of the kids opening presents this
morning? want to make a photo collage using our helpful tool?" and quite
another to access my photos (and, presumably, other personal data) without
prompting.

~~~
0x0
You must have granted the app permission to your photos/camera roll earlier.
Still I agree it's sneaky for the app to go in uninvited at a later point in
time.

~~~
yAak
Agreed. It might be nice if Apple extended their "Do you want to continue
allowing XYZ to use Location Services" prompt to other permissions, provided
it wasn't too aggressive.

~~~
0x0
Or even better, offer a restricted photo access permission that only works
with the built-in image picker. Then at least the user has to tap on an image
before it is transferred to the app. I don't care about the fancy custom image
pickers with real time preview effects that various apps build in.

------
willvarfar
My own muses and solution:
[http://williamedwardscoder.tumblr.com/post/13316924653/bette...](http://williamedwardscoder.tumblr.com/post/13316924653/better-
permissions-in-android)

Basically, back in the Symbian/UIQ days, we worked on this and came up with a
way to embed apps within another visually even though they were separate apps
with separate permissions.

So an app wouldn't need all the internet access stuff just because it embeds
ads; instead, an ad-service running on the phone would embed ads in the space
given to it by the app.

We primarily wanted to show contacts and online status etc inline without each
app needing to be able to read your contacts or find out their online
statuses.

The host app would basically use a UI widget that took a 'url' to what was
going to be shown, and apps registered as providers of various url schemes
e.g. uiq_contact:phonenumber_goes_here?display_options=whatever

~~~
iainmerrick
That would be great! Both Android and iOS _partly_ implement it, but in each
case it's underused.

On Android, an app can send an email just by posting an intent. That will open
your favourite email app and create a new message, but crucially, you can
check the contents yourself and decide whether or not to hit "send" or not.
The app can't interfere and can't even tell whether it was sent (modulo
underhand stuff like tracking pixels).

Unfortunately, the intents for "post a message to twitter/facebook/whatever"
are badly designed and don't work well with most apps. So many apps just
request direct access to your social media.

On iOS, you can deny Facebook and Twitter access to your photo library, yet
still post photos: you just do it in the Photos app itself. Photos gets access
to your social media, rather than vice-versa, and that's (probably) OK because
Photos is built into the platform, not a third-party app.

Unfortunately people don't seem to know about that, and just use the
(admittedly easier) workflow of sharing photos from within the Facebook or
Twitter app. And sharing _multiple_ photos from Photos didn't work properly
the last time I tried: it creates multiple posts rather than a single post
with multiple photos.

So in each case the platforms offer the functionality you're looking for, but
apps and/or users are too lazy to use it properly. I don't know what the
solution is. Apple or Google could make it harder for apps to do the wrong
thing, but that would probably just annoy users ("I upgraded my phone and now
I can't share photos any more!")

~~~
fjrieiekd
And even on Android this functionality has a lot of holes. As an example, just
try to find a robust way of sending an email with multiple attachments that
only shows email apps and doesn't crash some of those apps.

------
qznc
My solution is to use CyanogenMod (now LineageOS) and deny access when apps
request it. To applications it looks like they can access my contacts, but if
I deny it, they only get to see an empty list.

~~~
emsy
My solution is to buy an iPhone. I don't mean that as a snarky response, as
I'd very much like to use an Android phone (And if it's just to be able to use
Tasker). But I simply don't have time to bother with this stuff anymore, so I
pay ~200$ more in exchange for my time (and privacy).

Secondly, I don't want to give anyone money that gives a crap about my
device's security and privacy.

There was a similar article on HN a while ago that came to the same
conclusion:
[https://news.ycombinator.com/item?id=13056288](https://news.ycombinator.com/item?id=13056288)

~~~
bad_user
I currently use an iPhone and it too isn't a good privacy solution either.

For example my pet peeve is that apps like Waze or Uber are allowed to only
request full location tracking, even while running in the background. As a
user you cannot restrict location tracking to happen only when the app is
running. This is an either-or proposition. Either the user allows location
tracking while in the background, or you cannot use the app.

And surely you can manually enable and disable location tracking per app, but
that's way too cumbersome. Just imagine trying to start navigation while at a
red light. Whereas with Android I used to be able to enable/disable location
tracking globally, since you get a global shortcut that you can access in a
swipe and tap.

I also use 1Password as a password manager. Well, iOS has the same problem as
Android where apps can read the contents of your clipboard, including copied
passwords. And compared with Android it's not common to see password managers
use third-party keyboards or accessibility features to side-step copy/pasting
passwords. And sure, apps have an API to integrate managers like 1Password or
Lastpass, which is nice when it's there and it's surely nice when it works in
Safari, but too few apps use it.

In other words, even though the privacy/security story is currently better for
iOS, IMO it's not that good either and I hope that Apple and Google will work
on improving this situation because I'm seriously thinking of going back to a
dumb phone.

~~~
cgb_
To be fair, those are app choices to require 'Always' for location tracking.
You can most definitely restrict an app to use location only while using - you
can't fault Apple or IOS for apps that (unnecessarily [1]) demand more.

One thing I really like about IOS is the reminder that an app has been using
your location in the background for a while [2]

[1] [http://www.theverge.com/2016/11/30/13763714/uber-location-
da...](http://www.theverge.com/2016/11/30/13763714/uber-location-data-
tracking-app-privacy-ios-android) [2]
[https://support.apple.com/library/content/dam/edam/applecare...](https://support.apple.com/library/content/dam/edam/applecare/images/en_US/iOS/iphone6-ios9-weather-
app-using-location.jpg)

~~~
zymhan
But Apple makes (seemingly) no effort to encourage developers to allow limited
location access. Why can't iOS be in charge of when an app uses my location
when the app is backgrounded?

The reminder only appears once per app, as far as I've noticed. I restored my
phone recently for the first time in over a year, and had totally forgotten
about the reminder feature.

------
vmateixeira
Has anyone noticed apps switching from requesting individual permissions to
relying on Google Services permissions lately? For instance, Google Maps now
need Google Services to have permissions to [1].

This makes it even harder to track which information apps are actually
collecting (in case you grant all permissions to Google Services).

[1] [http://i63.tinypic.com/1zwt91.jpg](http://i63.tinypic.com/1zwt91.jpg)

~~~
sha666sum
Slightly tangential, but yesterday my Gmail app kindly informed me that I need
to give Google Play Services the following permissions in order for it to
function:

\- Body Sensors

\- Calendar

\- Camera

\- Contacts

\- Location

\- Microphone

\- Phone

\- SMS

\- Storage

This promptly led me to discover K-9 Mail. Not entirely incidentally, Google's
Calendar was so helpful as to suggest that I install Google's fitness tracker
to integrate with the Calendar. I politely declined the offer, and installed
Etar.

~~~
ade2
Looks like it's a bug

[https://productforums.google.com/forum/#!topic/gmail/oTMPWq2...](https://productforums.google.com/forum/#!topic/gmail/oTMPWq2u5H4)

~~~
TeMPOraL
These days it's harder to tell whether something was a bug, or only became a
bug after it was discovered.

------
catwell
This is not specific to Android, it is basically the antivirus industry in
general. "Let's ask every possible permission and inject code everywhere in
the OS so we can prevent other applications from doing so."

I am usually for modularity, but I think this kind of security is part of the
OS' job, and we have to move to security models where third-party AVs do not
exist.

Of course, this is not just my opinion, see
[https://news.ycombinator.com/item?id=13082832](https://news.ycombinator.com/item?id=13082832)
in particular.

------
StrLght
Some apps prefer to declare more permissions than they need because adding
more permissions would stop app from autoupdating – user will need to manually
confirm new permission when updating in Google Play. Android 4.X is running on
nearly one third of the Android devices and there are apps with old permission
model (eg. Snapchat), so that's still a thing in some apps.

I am not defending Meitu and Kaspersky though. Be careful installing new apps
and look at apps' permissions.

~~~
Tepix
It can fail both ways:

On the one hand you may not install an update because the app wants more
permissions than you consider acceptable.

On the other hand you may not install the app at all if it asks for too many
permissions during the initial install.

~~~
StrLght
While I agree with you I also think that sadly average person doesn't really
care about permissions at install time simply because there're lots of them.
But app update is different -- there're usually 1-2 permission(s) added with
update so there's huge chance that user will notice it and think about why
these permissions are needed.

------
wruza
I still wonder why Android does request permissions before application was
run. Apple does it when app actually tries to use AB, location, camera,
microphone, etc. You know the context of requirement then and are able to tell
whether it is really required (and turn it off later). On Android you just
blindly accept it, and app is free to go anywhere, anytime. Maybe I'm wrong
and it got better now, but my recent experience with friend's Android was
exactly as described. We got a couple of new contacts in address book and
actively prevented sending sms to China from boiler-info app. Wtf?

~~~
relics443
Android uses runtime permissions since marshmallow, but the app has to support
them otherwise it falls back to granting them all at install time.

~~~
wruza
That way android is stuck with tons of 4th-party software publishers that are
not even professionals in programming. Stores are full of working
evolutionlessware. Why don't they just present "ok/nope" dialog and fail a
system call after "nope"?

~~~
relics443
It's not that simple. The app I work on now is pretty complex, and the only
way we were able to get runtime permissions in normally was to commit to a
complete rewrite of the app (that wasn't the justification for the rewrite).
It's just not always the highest priority.

~~~
wruza
That's what I'm talking about. Must have used better wording to make it clear,
sorry. It _is_ possible seamlessly at the OS level (as one of commenters noted
about CM). But OS devs just kicked the responsibility to app devs.

------
ade2
Isn't this solved with run-time permissions model since android 6? Customers
can be informed before requiring individual permissions, in a context where it
is understandable, such as requiring WRITE_EXTERNAL_STORAGE when saving a
picture. Am I missing something?

~~~
mjg59
It's not obvious to users that READ_PHONE_STATE means the ability to obtain
your IMEI, and if an app just exits when you deny a permission (or lies to you
about why it needs it) what do you expect most users to end up doing?

~~~
izacus
The user-facing text for READ_PHONE_STATE is "Read and control phone status
__and identity__".

How more obvious do you want it to be?

And I expect users to uninstall the app or live with the consequences. Because
what other option is there?

If you want a kindergarten OS where a corporation prevents you from running
apps according to their daily whim and maximization of profits - get an
iPhone. Apple will protect you by making sure you run only kids friendly apps
which only work with their dongles and hardwares. And that's ok, but we do not
need two operating systems with same limitations that only differ in branding.
In corporate controlled Apple world, things like Linux do not exist.

~~~
mjg59
I only know what "identity" means in this case because I've read the SDK docs.
There's any number of things that phone identity could mean other than IMEI.

(Before you accuse me of just wanting to restrict what people can do with
their devices, I'm on the board of directors of the Free Software Foundation -
I am very, _very_ interested in ensuring that ultimately end-users are able to
do whatever they want to do with things that they own. But that's not
incompatible with the OS being designed to do its best to ensure informed
consent for whatever an ap wants to do)

~~~
izacus
Of course, but is there even a way to phrase this better? Google could (and
probably should) write "allows access to IMEI", but I'm not sure that adds a
lot of informational content.

Don't get me wrong - I think this is still a severe problem. The fact that
Google made a half-arsed solution where apps can just target older API and get
away without asking for permission is horrible. The fact that apps can extort
users with "give us contacts or I won't run" is also horrible.

But I'm out of ideas on how to fix this without giving control over to a
single huge corporate entity which will rather lock you out of your own device
than to deal with slight possibility of and kind of liability :/

~~~
mjg59
My understanding is that iOS doesn't give apps access to the IMEI - it gives
them a tracking identifier that users can disable. Having the OS empower users
feels like a better solution than obfuscating what information you're giving
up to apps.

~~~
izacus
Android has it as well - you either have the "Advertising ID" which behaves
the same way as the iOS one (requires no permission on either OS) or
ANDROID_ID (also requires no permission).

Both are reset with factory reset, but apps still for some reason demand
tracking via IMEI.

~~~
pwg
> Both are reset with factory reset, but apps still for some reason demand
> tracking via IMEI.

Because from the marketers perspective, a fixed, constant, identifier of a
particular phone beats out one that can change periodically. There's more
tracking and big-data possibilities from the fixed never changing IMEI value.
So that is what they want.

~~~
Aissen
Except you probably want the reset anyway, since most normal people don't
factory reset unless the phone changes owner.

~~~
pwg
What I personally would want is no way for any advertiser to ever send any ad
to my phone in any way, ever.

But given that I'll not likely ever reach that point, I'd settle for those
advertisers not receiving any unique identifier from my phone that allows them
to know anything more than "ad X was sent to an anonymous phone".

------
vicnov
Everyone just need to read a bit more about Kaspersky family.
[https://en.wikipedia.org/wiki/Natalya_Kaspersky](https://en.wikipedia.org/wiki/Natalya_Kaspersky)

For example: she [N Kaspersky] believes that all personal data, such as search
history, geolocation, contacts, correspondence, photo and video materials,
should belong to the State.[11]

~~~
coolspot
And Eugene Kaspersky himself has ties to KGB/FSB.

[https://en.wikipedia.org/wiki/Eugene_Kaspersky#Alleged_affil...](https://en.wikipedia.org/wiki/Eugene_Kaspersky#Alleged_affiliations_with_Russia)

------
martijn_himself
I'm in the market for either a iPhone 7 or OnePlus 3T, with the latter running
OxygenOS, which is based off Android Nougat I believe.

Do concerns around Android security apply to all Android devices and versions
or are there exceptions?

~~~
BoorishBears
Android's main security issue is systemic and applies to all phones and all
versions. If tomorrow morning a new major version of Android fixed every deep
seated security issue there was, it'd still be years before it had a sizable
marketshare.

~~~
martijn_himself
I guess this is the answer most users will be looking for. I really like the
proposition of the OnePlus 3T and I appreciate the ability to load other ROM's
but I'm really just looking for the best baseline secure environment that
doesn't require me to either be super vigilant about installing apps or
aggressively manage permission on a per-app basis.

------
Sephr
With a title like that, I was assuming that this post would have something to
do with the hypocrisy surrounding android's audio capture permissions.

Want to make a WiFi-based audio adapter and support Android (without requiring
root)? Too bad. Only the Chromecast app is allowed to request permission for
system audio capture.

------
fjorn0
CopperheadOS is trying at least.
[https://mobile.twitter.com/CopperheadOS/status/7873572570296...](https://mobile.twitter.com/CopperheadOS/status/787357257029685248)

------
bambax
> _The moral here isn 't that Kaspersky are evil or that Meitu are virtuous.
> It's that talking about application permissions is difficult_

Maybe. Or the lesson could be: the fewer apps the better.

------
Searle
A friend of mine and I wrote an app which you can use to find apps without
suspicous permissions _before_ installing:
[https://play.google.com/store/apps/details?id=de.steppicrew....](https://play.google.com/store/apps/details?id=de.steppicrew.saferplay)
We didn't do any marketing because we just scratched our own itch, but I
always use it when seaching for a new app. Doesn't solve the problem, put
makes it manageable.

------
nezo
There really is a lot of things to improve about permissions. Like Apple and
Android's default camera apps requesting access to camera... really? Or
contact app asking permission to list contacts (on android at least).

Setting up a new phone or tablet is like dismissing 99 dialogs every time.

I indeed hope in the future there will be a better balance between user
experience and user privacy.

~~~
mysticmarvel
How often do you upgrade or purchase a new Apple device? Once per year? I'll
take one instance of setting up permissions for stock apps (Many of which I
don't use) over granting them unfettered access to my data and device services
any day of the year. For instance, under no circumstances do I want Location
Services enabled for: "App Store, Camera, Facebook, Messages, Siri, Twitter,
HomeKit, Location based Alerts or Ads or Suggestions, WiFi Networking,
Frequent Locations, Diagnostics and Usage, or Popular Near Me. I'd be happier
if I could disable location access by modem too (GPS, Bluetooth, and WiFi) but
it isn't that granular.

~~~
nezo
Offer a device to a novice and watch him/her panic over the incredibly huge
amount of popups. (I saw my mom)

How frequent do I buy a new device shouldn't be a reason for onboarding to be
such a hassle.

Of course location is a good exemple of permissions you don't want to give to
every app, but I gave example of apps asking for obvious permissions.

Camera app (Still love this example, sorry) ask access for camera, and oh
storage... really? Both of them are really obvious. I don't know anyone using
camera just to see the preview, but maybe.

------
jugbee
Hi, i would like to draw the attention of you, the people with more expertise
than I to another app that at least for me is more terrifying Xiaomi Mi Fit
([https://play.google.com/store/apps/details?id=com.xiaomi.hm....](https://play.google.com/store/apps/details?id=com.xiaomi.hm.health)),
because it also takes all the intrusive permissions (modify system
settings?!), but also takes all this info and combines it with your health
data. Furthermore it is very hard to find it's privacy policy (I may have seen
it once during registration in the app and it said "it's scattered around the
terms and aggreements). This comment may be burried, but I hope at least
someone, who's better in this than I will check it

~~~
neurostimulant
Modify system settings permission is needed when your app needs to change
network state. Previously using the Change Network State permission was
enough, but since Android 6 it's no longer suffice. I imagine that app
probably need to access the watch accessory over Bluetooth and need that
permission to make the Bluetooth turn on automatically.

------
ercu
Android permissions are full of bugs. Even they prevented call recording on
Android 7, apps on google play can overcome this by directly communicating
with drivers.

------
balladeer
I stopped using TrueCaller because not only this app gets everything out of
your phonebook, it puts it on the web for others to see. And that's exactly
how you see other's contact details too.

Uninstalled after deactivating my account and then used
[https://www.truecaller.com/unlist](https://www.truecaller.com/unlist) but my
number is still listed.

------
creativityland
There was a long discussion about this on /r/android.
[https://www.reddit.com/r/Android/comments/5oyvun/psa_dont_in...](https://www.reddit.com/r/Android/comments/5oyvun/psa_dont_install_the_meitu_photo_app_its_sending/)

------
scarface74
Solving the issue that was mentioned about how to give an app developer a
unique id for a device and still give the user privacy was solved problem with
Windows Mobile before the first iPhone came out. The OS would give a developer
a unique identifier for only their app that was different per app.

------
stolk
It doesn't always have to be like this, on Android:

[https://twitter.com/BramStolk/status/421750337750327296](https://twitter.com/BramStolk/status/421750337750327296)

------
ungzd
Do newer versions of Android ask for permission on first use of every such
feature? Or it was Cyanogenmod feature?

~~~
rhodysurf
Yes they do

------
jjuel
Those Kaspersky permissions look like permissions on the payload you can
create with Metasploit...

------
dovdovdov
Android (or anything Google) means close to zero privacy.

------
zschneider
>Why does Kaspersky want the ability to record audio? Why does it want to be
able to send SMSes? Why does it want to read my contacts?

Block unwanted phone calls and SMS texts, filter out dangerous links and sites

>Why does it need my fine-grained location?

To find your lost Android phone or tablet

>Why is it able to modify my settings?

To be able to remove viruses and other threats from smartphones and tablets

\---

I can't even open this website with Noscript because of Cloudflare. Why do you
need to stream all your unsecure (I'm talking about js, not https) user
traffic through 3rd party providers?

------
titraprutr
" ... this is the sort of thing that capitalism is inherently going to end up
making use of."

I just stopped reading after this.

~~~
kaoD
Well, isn't it true?

Nowadays users (and their data) are the means of production and capitalists
are using it to their advantage. Libertarian appeal to consumer responsibility
is too idyllic. Consumers are mostly not responsible and often misinformed and
easy to manipulate.

~~~
titraprutr
"capitalists are using it to their advantage"

yes, this is true but by the same token you can say that socialists use this
data to better target users with their socialist agenda.

My point is, there is no need for introducing this type of "innocent" remarks
because it only creates more hype around the whole capitalism vs. socialism
thing.

~~~
kaoD
Then say that. "I stopped reading" comments are not constructive. They lack
content and can't be argued with.

