
Mobile UX Design: Ways to Ask Users for Permissions - babich
https://uxplanet.org/mobile-ux-design-the-right-ways-to-ask-users-for-permissions-6cdd9ab25c27#.wldxowb7j
======
makecheck
There are a few big failings with pure permission-based models:

1\. Given only the most basic of assurances (assuming an app tells you
anything at all), you have to trust that some software you just downloaded is
going to do exactly what it claims, and _only_ what it claims.

2\. By requiring the user to grant permission at a prompt, we are pretty much
guaranteed to not ask questions very often and have coarse granularity. Apps
can therefore count on easily gaining more access than they really need,
rather than having to try really hard to work within serious limitations.

3\. Data is rarely structured in a way that allows it to expire meaningfully.
For instance, I cannot _guarantee_ that an app has access to a particular
contact for exactly 1 second while it transmits a message, and then “loses”
that information; in reality, the app can probably upload my entire contacts
database anywhere in the world and continue to do so for months at a time.

An example of a better model might be to force everything to go through the
user and to require applications to sign their data. For instance, if an app
wants to send my friend an E-mail, maybe _they can’t_ : maybe they have to
give _me_ text that is signed by them, and then _I_ send it, ensuring that the
correct message is sent but that the E-mail address itself is not shared.

~~~
supercoder
There's always a compromise between security and convenience, and how much
you're willing to give up of the other.

That email example might work in specific examples, but requiring the user to
be a constant gatekeeper would get very tiresome quickly , particularly when
it comes to things like GPS and Camera access.

~~~
chii
What if the operating system acts as an agent in these scenarios? Say, sending
a message to a contact requires the app to make a system call which they get
back a handle to said contact. All operation on that handle is done via calls
to the system, so the data about the contact never actually gets to the app.
It'd be annoying to write the simplest of programs under this paradigm, but
the use can then completely control an app'use of their data or hardware.

~~~
charleslmunger
This is how Android and content permissions work. It's totally possible to
take a picture without permission to access the camera, and to share a contact
without granting access to all contacts.

Many apps choose not to use this functionality, because they want to own the
UX for contact picking or taking a picture, and most users don't know about
the privacy difference between sharing a Uri with a grant permission flag, and
granting access to contacts.

------
kazinator
CAN I HAZ ALL CONTACT 2 SEND 2 CAT BOSS? (M)EOW/(W)OOF >

