
“We will sell you this microwave under the following conditions” - superchink
http://www.whoismcafee.com/three-guys-walk-into-a-microwave/
======
PeterisP
We have half of the solution required for this - there exists a per-feature
based permission model that the applications are already using.

The second half is simple but requires a change on the device side - if an
application needs feature X, Y and Z, then the choices shouldn't be limited to
grant access or not install the application, but there should be a third
choice per each feature called "fake that access being granted".

If an app claims to need access to my SMS messages, then there are two
reasonable options:

1\. I want the app to read my SMS, as it does something that I want with them;
so I enable that feature.

2\. I don't want the app to read my SMS for whatever arbitrary reason that
doesn't matter and doesn't need to be justified to anyone. If the app
cooperates with the refusal, then it stops at that, but if the app wants to
read my SMS against my will (and, say, tests this ability to enable some
unrelated feature) then that's hostile behavior and all of my hardware and
software should assist _me_ in thwarting that hostile behavior - e.g. by
simulating fake data to the app, by falsely claiming to have sent SMS / made a
call, etc.

The other options (including the current scenario where my device cooperates
with the app developer against me) aren't reasonable and should be eliminated.

~~~
gcb0
cyanogenmod version 7 had this feature. and that was 2011?

google never accepted the patches into main android.

also as CM and google got more in bed that feature vanished for a while.

~~~
unbelievr
A feature that could disable certain permissions for a single app was briefly
introduced in an earlier version of 4.3.x, but was removed again shortly
thereafter. Apparantly, most apps were written to expect permissions to be
granted and crashed pretty hard if they didn't get their way.

It is available for rooted phones running Stock Android through the Xposed
framework. There it is called "AppOpsXposed".

~~~
mcv
I can understand that disabling permissions the app expects will fail, but
faking the service the app expects permission for sounds like something that
should work, and would be very valuable.

~~~
unbelievr
Yes, definitely. XPrivacy can fake data, so that works even better than
AppOps, but is harder to set up.

I also miss the possibility to give slightly fuzzed/offset values for certain
things, like GPS granularity (Do you need to know my exact location, or just
my country?) There's however an eternal struggle between the API devs wanting
to make the permission system simpler, and the APP devs wanting it smarter and
more refined.

------
tzs
> If you have any doubts, then I recommend you download DCentral1 (A Future
> Tense Central product) from Google Play, and let it scan your Android phone
> or device. It will tell you exactly what every app you have downloaded has
> asked permission to do – and you will be shocked. DCentral1 is my own app,
> and it asks for no permissions, as you will verify prior to installation.

I'm surprised that looking at the permission settings of other apps does not
require permission. Knowing which apps someone gave permission to access their
sensitive data can tell a bad guy which apps to try to exploit to get the
user's sensitive data. It probably also leaks some information about the user.
I'd not be at all surprised if there were correlations between permissions
granted to specific classes of apps and things like the user's age or gender.

~~~
spindritf
_I 'm surprised that looking at the permission settings of other apps does not
require permission._

I'm surprised getting a list of installed apps does not require permission.
The access settings for each app are the same for everyone and public anyway
(99% of the time).

------
optimiz3
CyanogenMod's Privacy Guard gets this right.

It defaults to a _silently fail_ permission policy, and notifies you when an
app is requesting access. You can then chose to deny, allow, deny always, or
allow always.

It's the antidote to Android's insane security model where all users see is
"do you want to be able to run this app?".

~~~
rasz_pl
there is "allow but spoof' missing from that list to make it a viable option

~~~
optimiz3
That's what I meant by the silently fail part.

------
lucb1e
The interesting thing is that while we now think all required permissions are
ridiculous, there used to be no permission system at all. None of the popular
desktop operating systems offer any permission model beyond limiting a user's
account (and I myself certainly want to have access to my own contacts - but
do all applications?).

So it's a very good step that there is a permission model at all. Now it's
time to refine it, iterate improvements, and make it the way it should be.
Broad permissions like filesystem access merely to save or open a file (such
as a document) could be removed altogether if there is a basic system
component that lets the user pick the location themselves. Or access to the
camera could be asked for by the OS every time an app requires it, or at least
it could be logged and display a notification.

~~~
cvburgess
To be fair, Desktops don't have as much of detailed look into our lives. SMSs
are very intimate, location data can pinpoint you at almost any moment, and (
for me ) i know my address book on my phone is 10x the size of the address
book I had on my computer before my phone started syncing contacts across. I
think it's a great direction, but one that is now more necessary than ever.

~~~
lucb1e
SMS is just as intimate as private messages on forums, emails, telegram,
photos from different cameras, friend's private facebook posts, et cetera.

------
MCRed
This is the primary argument for Apple's AppStore and App submission
guidelines, and the evaluation (much of it automated) that Apple does upon
submission.

This is also why iOS prompts the user before disclosing information to the
App, such as location, contacts, photos, etc.

People hate the review process, but there's a reason for it.

~~~
raverbashing
Exactly, but of course putting the permission in a list that nobody reads (I
do) in a confusing way that does not allow any customisation is easier.

------
willvarfar
A long time ago I worked on a Symbian OS called UIQ and we tried to tackle the
permission problem differently - by not needing them!

I still like the approach I came up with and think it a good fit for all OS
today. Here's an old blog post by me:
[http://williamedwardscoder.tumblr.com/post/13316924653/bette...](http://williamedwardscoder.tumblr.com/post/13316924653/better-
permissions-in-android)

~~~
dools
So did you take up Dan Shapiro's offer?

------
mwsherman
For what it’s worth, I make a point of calling it out. Here’s a bad one:
[https://twitter.com/clipperhouse/status/515206521723318273](https://twitter.com/clipperhouse/status/515206521723318273)

Maybe if we make a habit of it, it’ll help a little bit. I think most devs say
“give me all the permissions” out of expediency, and most users say OK for the
same reason.

Is there such thing as graceful degradation here? If I say yes to Location,
but no to Contacts, the app should still function but the bits that need the
Contacts would be unavailable.

Or, it asks for those permissions when, and only when, it needs them.

~~~
megablast
This is an app for booking doctors appointments online? But you don't think it
should have access to your id, location, wifi? Why is that unreasonable. The
only strange one is the photos access.

------
waterlesscloud
Hey! You know the really neat thing about the Internet Of Things is that
manufacturers really could start requiring all kinds of things in their TOS to
use the physical item!

Why, you could have the device only work in certain regions, requiring new
fees for new regions if you move!

You could enable features only if additional fees are paid! Free2CooK
(broiling available for just 60 credits)!

Monthly subscription fees!

You could cross-market, requiring access to read information on your pocket
computer (phone), in order to control your device!

Oh man, The Internet Of Things is gonna be so awesome!

~~~
icebraining
_The door refused to open. It said, "Five cents, please."_

 _He searched his pockets. No more coins; nothing. "I'll pay you tomorrow," he
told the door. Again it remained locked tight. "What I pay you," he informed
it, "is in the nature of a gratuity; I don't have to pay you."_

 _" I think otherwise," the door said. "Look in the purchase contract you
signed when you bought this conapt."_

 _...he found the contract. Sure enough; payment to his door for opening and
shutting constituted a mandatory fee. Not a tip._

 _" You discover I'm right," the door said. It sounded smug._

PKD, _Ubik_

------
spiritplumber
Yeah, that's actually something that perplexed me about a lot of android apps
-- why does something like a flashlight needs internet access?

Then my naive behind figured out that it's how they make money.

------
WizzleKake
If applications from the play store reading your SMS messages bothers you,
then I can recommend using something like CyanogenMod's Privacy Guard (which
exposes a feature called App Ops that seems to be a part of Android, yet
hidden), or Xposed framework's XPrivacy (which gives you very fine-grained
control over what information/permissions apps can and cannot access).

XPrivacy is difficult to configure without reading the documentation.

Both of these things require root.

------
aortega
I can believe people is still so naif to believe that google and third parties
will give you apps "for free". You pay in some way or another, always.

~~~
BrandonM
If you've ever run Linux, it's not really naive at all. Almost any program you
might want, free and easily installable.

~~~
aortega
The idea with Linux is that you contribute your time to the project or helping
others. That's how you pay. If you don't do anything of that, you are
freeloading.

------
gcb0
"those who give some freedom for security will have none of both" or so.

you gave up the hability to install apps from anywhere (to the point that if
im at yelp own site for example, all the links to install their own app only
takes me to app or play store) in exchange of the false premise that the
downloads would be verified by apple/google as to not harm you. in the ens you
just lost your freedom to do as you wish and now you are more exposed to
threats because you assume they are safe since they came from the "official"
place.

~~~
MCRed
Apple does review apps for harm, calling bad APIs and the like.

------
jdietrich
I think the fundamental problem is that Android permissions (and privilege
controls for most other platforms) are far too coarsely-grained.

I'm perfectly happy to allow an app to save files to a specific named folder
on my device. I'm perfectly happy to grant access to my camera _when
specifically prompted_ for barcode scanning or what have you. I'm happy to
allow an app to check whether I'm on 3G or Wifi to save on data costs. Android
permissions are currently far too binary. Permissions need to be more specific
and explicit, atomised down to the finest possible gradations; The permissions
dialog needs to clearly explain precisely what is being accessed, with extra
resources available to help the user understand the privacy and security
implications.

This frustrates me both as a developer and as a user. As a user, I avoid all
sorts of apps that are probably requesting permissions for good reason, but
that I don't really trust. As a developer, I find myself leaving out
potentially useful features so that I don't present the user with a laundry-
list of permissions.

I fastidiously explain exactly why my apps require permissions in the app
description, but I shouldn't need to and my users shouldn't need to trust me -
I should be able to specify the exact subset of functionality needed by my app
and my users should be able to grant me that and only that.

Users should be able to reject or falsify any API request at will, and the SDK
should be designed around this; Appropriate and flexible exception handling
for API calls should be mandatory, with UI to alert the user if functionality
is unavailable or unreliable due to their privacy settings, and with the
option to allow specific access on a case-by-case basis.

As an industry, we need to look past our short-term lust for analytics data
and ad impressions, and think about the future of computing. I think we are
grossly underestimating the importance and urgency of user trust, which is
hard-earned and easily lost. With the increasing ubiquity of computing and
recent revelations about surveillance and leaks, we need to be making bold
decisions to empower users to control their own data and devices. The future
of computing is truly bleak if we cannot truthfully convince users that they
are the masters of their devices and not the servants. Without decisive
action, we risk a catastrophic and wholly justifiable collapse of trust that
could set us back decades.

~~~
seanflyon
> I think the fundamental problem is that Android permissions (and privilege
> controls for most other platforms) are far too coarsely-grained.

I think that point of view is only relevant to a small percentage of users who
pay enough attention.

------
ChuckMcM
For a crazy guy I like what McAfee is doing :-). The "FM Radio" app which
Motorola installs on the Moto-G wants to upgrade on my phone, but it wants
"Device ID & call information, Camera/Microphone access, and 'other'". Really?
Why does an FM radio need my camera and microphone? And who I call? And my
device's id? And what the hell is "other"?

------
Istof
Perhaps some legislation will be needed to fix this ...

~~~
briandear
No. Government isn't the answer to most problems and certainly not this. The
market fixes this. If you don't like the terms, don't use the app. As soon as
"legislation" gets involved, then suddenly app developers are now under the
same type of regulation that covers medical devices, etc. That's a huge
burden. Imagine the patent trolls -- they use patent legislation to attack
developers (often small indy shops) that "potentially" have infringed on some
patent, despite the fact that the developer didn't even know a patent existed
and the technology involved is sufficiently ambiguous as to be case based more
on the financial resources of the participants rather than the merits of the
claim.

With this permissions legislation, an app that does legitimately request a
permission might have increased lawsuit exposure because of someone's
interpretation of what the permissible purpose of that permission might be.
Even if the developer is "right" they still have to spend thousands of dollars
they likely don't have to defend themselves. We have patent trolls -- what's
next, permissions trolls?

The free market is the answer. However, education of the public is necessary
for them to realize the tomfoolery in which some apps engage. However, all the
education in the world is unlikely to help -- this "general public" we're
talking about is the same crowd that plays Farmville and Candy Crush.

iOS is a bit more "safe" in the privacy regards because each app must
explicitly request permission for a specific use and Apple is rather rigorous
when you attempt to use a permission outside the scope of the app. I don't
know anything about Android, but if it covertly enables a permission without
the user's knowledge, then that's something Android should fix. But
legislation? Hell no. I don't trust legislators to paint white stripes on the
road correctly, let alone pass laws about technology about which they are
demonstrably ignorant much of the time.

~~~
pdkl95
> Government isn't the answer to most problems and certainly not this. The
> market fixes this.

[http://en.wikipedia.org/wiki/Just-
world_hypothesis](http://en.wikipedia.org/wiki/Just-world_hypothesis)

There is no law of nature that suggests a free (laissez-faire) market fixes
anything. More specifically, that style of pure capitalism only has one
inherent trait: capital tends to become accumulated. While I, personally,
think this kind of unidirectional focus is not healthy in the long run, the
amount of regulation needed to mix into a market is a difficult and open
questions.

> might have increased lawsuit exposure

Yes. That would be the entire point of regulation. You follow the legislated
regulations or you get hit with some sort of lawsuit or fine or similar.

> because of someone's interpretation of what the permissible purpose of that
> permission might be.

I agree! This is a _very_ difficult problem to describe in a clear, reliable
manner. I suggest that the industry should be proactive on this; it would be a
lot better if the people with the technical knowledge came up with some sort
of permission scheme that avoided ambiguity and more accurately reflected what
types of permissions the applications actually use.

The alternative is to wait for some well-meaning but technically inept
legislation, and all the idiocy it implies.

> education of the public is necessary

Absolutely. This is always of vital importance.

> I don't trust legislators

Neither do I - which is why it is important to beat them to the punch with
your own solutions and legislation.

    
    
        "we had to create the future, or others will do it for us"
          - Susan Ivanova, "Sleeping in Light", Babylon 5

------
qwerta
I dont install app which requests excessive permission. My Lenovo phone has
application firewall, everything is blocked, except two white listed apps. My
/etc/hosts has 3000 lines...

It is not that hard...

~~~
jbinto
This reminds me of the infamous HN response to Dropbox's launch 5 years ago:

> you can already build such a system yourself quite trivially by getting an
> FTP account, mounting it locally with curlftpfs, and then using SVN or CVS
> on the mounted filesystem

[https://news.ycombinator.com/item?id=9224](https://news.ycombinator.com/item?id=9224)

~~~
qwerta
Why would anyone install flashlight app which requires access to contacts and
emails?

------
eyeareque
I remember my blackberry would ask all kinds of permission prompts whenever I
installed a new app. It was a pain, but now I see how bad it can get when you
don't do it that way.

------
gus_massa
This has the original title, but I propose these alternative titles, trying to
follow the original title / don't editorialize guideline:

* You walk into a store to buy a microwave ...

* Three guys walk into a microwave store ...

~~~
dang
In cases like this we usually look for a better title in a subtitle or (as
here) the first part of the article.

