
Hey Paypal, why do you need access to my microphone, camera and photos? - oliwarner
http://thepcspy.com/read/paypal-permissions-microphone-camera-photos/
======
Someone1234
As a long term Android user and a mostly happy one at that, let me just say
that Android's permissions are terrible and basically not fit for purpose.

I'm going to ignore third party solutions that require root, because those
aren't part of the equation for 95%+ of Android users.

Android should have three levels of permissions: Implied (i.e. all apps get
these), explicit (at installation), and prompted (user is asked at runtime).

\- Implied ("freebies"): internet connectivity, store data, get a unique
device ID (per app?), store the app's own accounts within the accounts API.

\- Explicit (installation): Run in background, use GPS, use the camera, use
the microphone, etc.

\- Prompted ("personal information"/"cost you money"): Access your cellphone
number, access your contact list, access your calendar, access your email,
read/send texts, make calls, etc.

Users in the current Android ecosystem learn to ignore permissions pretty
quick as most are for trivial stuff (e.g. internet access, store data on the
SD card, store an account, etc).

Worse still a lot of users will skip apps that ask for too many permissions
which is bad for both the app developer AND users. Most developers want to
offer functionality (e.g. share to contacts) but don't want to do so at the
cost of losing users ("Why is this asking to see my contact list?").

Android needs to drop a bunch of "silly" permissions that have no inherent
cost to the user. They're clearly created by an engineer who just wanted to
slap permissions on every kind of API for no good reason. It benefits nobody.

They then need to take permissions which have a cost (either literally or to
user privacy) and set them up rationally so they're either something you get
when installing OR something you'll be prompted for.

Lastly Android needs to add a description field to the permissions manifest
where the developer can put in a short explanation for why they need
permission XYZ. Limit it to 128 characters if you wish. The app store can
display these.

I install less apps on Android largely because many ask for too many
permissions. If Google makes it really easy for me to protect my personal
information (e.g. prompts) I'll literally spend more money on their store
because I'll feel more safe to do so. As a developer I'll also offer more
functionality to my apps as there is no permission "cost."

~~~
jessaustin
This is great stuff. I kind of wish they would hire you to run this. Another
idea I've had would be for the user to be able to install an app without
giving it the perms it "requires" (perhaps by unchecking some boxes in the
dialog). Then apps would be responsible for handling a "no you can't see the
contact DB" API response. Or they could crash I guess. The point is that users
could effectively renegotiate with apps, e.g. "yes I'd like to use NFC to pay,
no I don't want you to be able to record everything that's going on around my
phone".

~~~
TheLoneWolfling
Actually, you'd want three settings:

Yes, No, and spoof. Otherwise far too many apps would just go "I won't work
until you enable the settings I ask for" \- and then we're right back at the
current situation.

~~~
sounds
Close. Yes, and spoof.

It is none of the app's business if the "camera" it sees is actually just an
animated GIF (in essence).

It is none of the app's business if the "location" information it receives
says, Mountain View, California. Wow! Look how many customers live in
California. :-P

In short, the app should not even get the yes/no data from the user.

~~~
TheLoneWolfling
That possibly works.

But at the same time, I have a feeling that there would be frameworks popping
up all over the place for recognizing spoofed settings. Yes, you'd end up with
the same thing with an explicit "no" option, but the segment of users choosing
"spoof" would presumably be smaller, and as such presumably the gain of an app
adding functionality to detect spoofing would be smaller.

Although I personally think that the best option is, given that Android has
the app store, have it part of the verification process that unrelated
functionality of an app must work when functions are disabled.

~~~
sounds
Since the spoofed data is an API, your proposed framework to "recognize
spoofed settings" must solve the halting problem -- impossible.

The spoofing API actually has only one requirement -- keep the app from
accessing real data.

------
patmcc
You're blaming the wrong people - assuming those are good and valid features
(and they are for some users), what do you expect Paypal to do? They can't
send you a stripped down app with only some permissions but give me one where
I can take a pic of my credit card.

Android needs to support granular permissions at runtime, then you can deny
Paypal access to your microphone if it ever tries to run.

~~~
oliwarner
I completely agree. This needs to be fixed in Android...

But I still find it annoying that I can't install the Paypal app without
giving them a free wiretap in return. In my eyes, bloating an application out
to a state where it needs all this stuff is almost as harmful because it puts
users in situations where they're handing this access out without thinking.

Edit: I've pushed a pretty major edit to the post to give a bit more focus to
Android but also to point out that Paypal _could_ be a lot more responsible
too. They could (for example) farm out all the privileged code to plugins and
package them as separate apps. It's more of a pain for some users, less
invasive for others.

~~~
e40
_I completely agree. This needs to be fixed in Android..._

This is the primary reason I root my Android device and why I buy Nexus
devices (I don't do Android development). XPrivacy and other apps allow you to
revoke permissions individually, which is what Google should have baked into
Android itself, without the need to root.

------
makmanalp
A lot of comments seem to be missing that the issue is less about permission
granularity and more about pre-asking for any and all permissions that the app
may use. Runtime permissions would solve the issue - using the camera? Ask the
user. Then the user can decide to allow once or allow every time. Of course,
you'd have exceptions for some common things - store data etc.

The current model is rather like giving a teenager a credit card and hoping
they'll be responsible rather than giving them an allowance or having them ask
you when they need money. The user has no clue how the permissions are being
used after they're forced to allow during installation.

~~~
TheLoneWolfling
Better yet: allow once / allow for <x> period of time / allow in foreground [
] allow in background [ ].

~~~
gokhan
Too complex.

------
mikestew
Seems the post is less about "why u need camera?", as the author gives
reasonable explanations for the "why", but more about why aren't Android
permissions more granular? I think the answer to that question is how often
should the user be bothered to think about permissions? Android gets it all
done up front, at the cost of it being "all or nothing". Apple let's you deny
permissions at runtime, at the expense of bothering you each time the app
wants to use (say) the camera.

None of which makes the post particularly front page worthy. "Why does
$RANDOM_APP need to use my microphone?" Because Android permissions model,
which has been rehashed to death; next question.

~~~
zipperhead
I don't think the solution is to ignore it though. Maybe it needs more calls
to change the implementation and fix the core issue.

------
sevenproxies
Device fingerprinting is a big boon to fraud prevention. The more data sources
that can help uniquely identify a device the better. I know some fraud
prevention companies require merchants to include an image (png), javascript
and flash file on the checkout pages to profile a customer. Flash can access
your microphone, camera and local storage (flash cookies).

Fraud is a big deal for Paypal, although I'm do not know if such permissions
are needed in device fingerprinting on apps.

Interestingly from a privacy point of view, more granular permissions to
device features might not necessary equate to greater anonymity. If most
device users do not care or know about the privacy implications and accept the
app's permission request, those who don't accept become the minority.

------
carterparks
Camera is used for their mobile check deposit feature:
[https://personal.paypal.com/us/cgi-bin/?cmd=_render-
content&...](https://personal.paypal.com/us/cgi-bin/?cmd=_render-
content&content_ID=marketing_us/mobile_check_capture)

Microphone could be used for some kind of dictation feature?

~~~
maxxxxx
Haven't they cancelled that feature? I remember getting an e-mail

[http://consumerist.com/2014/06/16/paypal-discontinues-
mobile...](http://consumerist.com/2014/06/16/paypal-discontinues-mobile-check-
capture-as-of-um-yesterday/)

------
thrownaway2424
Their app can also OCR the face of your credit card, for what it's worth.

~~~
adyus
The poster's point still stands, though. The user should decide whether to
allow that permission on a case-by-case basis.

Sadly, that's a problem with Android, not Paypal.

~~~
wodenokoto
If it's Androids problem and not Paypals, I'm not really sure if it stands,
then.

~~~
adyus
Granted, the title and tone is a little sensationalist.

In fact, you're right. The main point is invalid, the author only saves face
toward the final paragraphs, when mentioning iOS.

------
xienze
If I had to take a guess they're using something like Phonegap/Cordova (i.e.,
this is a hybrid mobile app -- basically just a browser view with HTML content
and JavaScript that can make use of the device's hardware and accounts). A
common mistake I've seen is people using the stock Android manifest that comes
with Phonegap/Cordova. This manifest enables ALL permissions so all the native
functionality plugins "just work" out of the box. However, you're supposed to
pare down the manifest to remove permissions for things you don't actually use
so you don't end up in this situation.

~~~
yourad_io
This is PayPal, remember? The likelihood they're using PhoneGap is so low that
I'm going to state it isn't, without Googling it. ( _gasp_ ) Did you read the
first article?

~~~
abitsios
And indeed it isn't (got the latest com.paypal.android.p2pmobile from play
store and checked). They do to have _an_ HTML component to their app, a Tour
guide found in assets/ ("Pay with PayPal in Stores!").

I'm the same person as above, btw. I have noprocrast on that account. It is
working very well for me ;)

They have, however, authored a Cordova plugin for others to use the PayPal SDK
easily from their PhoneGap apps [1]

[1] [https://github.com/paypal/PayPal-Cordova-
Plugin](https://github.com/paypal/PayPal-Cordova-Plugin)

------
ttola
This is a problem with android/ios or the app development process entirely. If
permissions could be requested on demand within an app after installation, the
the initial permissions sought won't be as intrusive. For PayPal, thier
userbase is quite large, and because you don't use a feature, doesn't mean a
million users elsewhere don't.

So, imo, the apps permission handling is to blame here

~~~
theatrus2
iOS has always supported at-runtime permission requests (microphone, camera,
camera roll, location, contacts, etc).

------
qwerta
It is windows all over again. Just block internet access on everything and
allow only a few apps to access internet.

------
mhb
Why does X need access to Y?

[https://play.google.com/store/apps/details?id=com.dcentral1....](https://play.google.com/store/apps/details?id=com.dcentral1.android&hl=en)

~~~
Animats
For a while, there was an Android app, App Ops, which let you turn off
permissions for other apps.

Google took it out. They claimed it would cause "user confusion", when badly-
written apps crashed trying to use some feature they were barred from using.

[http://www.cnet.com/news/why-android-wont-be-getting-app-
ops...](http://www.cnet.com/news/why-android-wont-be-getting-app-ops-anytime-
soon/)

------
yawz
A good workaround to having to ask for too many permissions is for the app to
explain the intent before the permission pops up. I find this offers a much
better experience in general.

------
buzzgen
Yet another example of "Why Smart Phones Aren't". Google it.

------
buzzgen
Yet another example of why "smart" phones aren't.

------
ck2
lots of permission managers for cyanogenmod

