Android app permissions need to be much clearer

Android app permissions need to be much clearer

Summary: Android apps need to communicate the security permissions they require clearly, not in the form of arcane incantations that the masses cannot possibly understand.

TOPICS: Mobility, Android

As we've slid from the era of the PC into a post-PC age, it's easy to think that everything is rosy in the mobile world. But its not.

I'm looking at you, Android.

Don't get me wrong, I like Android. I really do.  It's not my mobile platform of choice, but mostly that's because I settled on iOS back in the days of the iPod touch and sort of stayed there. I like the Nexus hardware, and I'm especially fond of the Kindle Fire HDX, preferring it to my iPad. But there's one aspect of Android that I think is totally user-unfriendly — and that's app permissions.

App stores for Android devices show you what permissions an app requires to be able to run. The idea is that this helps the end user make an informed choice as to the apps they install. In theory this allows you to spot nefarious apps that might be pilfering your contact details or indulging in other forms of mischief.  

But, and the old adage goes, the difference between theory and practice is that in theory it works, but in practice it doesn't.

The reality is that Android app permissions quickly decend into arcane incantations. Take a look at this entry for an app in Amazon's app store (the store doesn't matter, you see the same sort of spells in Google's app store too).

Android app permissions

You or I might know – or know how to find out – what this stuff means, but there are millions of users out there who don't. And as more and more people take their personal devices into their workplaces and connect them to the business infrastructure, this is going to put increasing pressure on endpoint security to keep things secure. Getting users to be vigilant is the first line of defense, but you can only ask them to do that if the information they are being given is understandable.

I'd like to see Android address this. I know that creating security and error messages that are comprehendible is not easy – and it's something that even Microsoft and Apple haven't fully perfected, but if app stores are going to bubble this sort of information up to the surface for the masses to digest, then more needs to be done to make it accessible.

Topics: Mobility, Android

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Totally agree, they're too complicated for technical users alone

    At least Google does show you though, Apple doesn't even give you any idea what permissions iPhone/iPad apps are going to get!
  • My major bug'a'boo

    WHY do they need to know and/or have permissions to my contact list? My customers are my customers, not theirs.
    But more importantly, my customers are PRIVATE.
    I mean, who the heck wants oBLAHm's private # ?
    • Selective permissions are needed too

      Permissions should not be an all or nothing proposal. Grouping permissions into two groups like mandatory and optional may help as well.
      Bruce Lang
      • All app features tied to optional permissions

        Or how about giving the user the option to decline any number of feature permissions, and yet still be able to install the base app. After hitting the "Install/Upgrade" button a confirmation dialogue could appear that says, "Are you sure you don't want to be able to do enhanced stuff like A, B, C, & D with this app?" I would be an informed user that knows how I just crippled an app in minute ways before I then click "Agree". (or not, and click "back") This way I get use of the app but not of features that I don't really want, especially the privacy/security compromising features. Right now I'd be using Evernote if it didn't need access to the camera and microphone on my brand new Galaxy Note 3.
        • Evernote...

          You have the ability to take pictures or dictate notes into Evernote, thus the requirement for camera and mic. I use both of these all of the time. You obviously don't, which is fine - just know that these permissions are purely in line with the end user's usefulness of the app, as opposed to many where permissions are being sought for questionable and unsafe practices.
      • Agreed

        I had an update for a game, it suddenly wanted extra permissions, it wanted to "see accounts on my device" and "see other processes running". It also needed network access, as it was getting a multi-player mode, that was understandable but it shouldn't need to see what accounts I've set up!

        Needless to say, I haven't installed the update. If I could set which permissions it gets, I would be much happier (i.e. from the list of permissions, each would have a slider for allow / disallow and it would have to disable the functionality in the app, where it doesn't have permission).

        Or at least a brief note in the description saying why it needs that access.

        For example, WHY does Facebook want to read my SMS's? Okay, I don't use Facebook, so it isn't an issue as the app isn't installed, but it is a prime example. SMS are inherrently something private, I don't want apps poking around in my private correspondance.
    • really?

      If the app you're referring to is a communication app of any sort the answer is obvious... What is the app you're referring to?
      Andrew Hargrave
    • Reason #1

      Because the app needs to display your contact list to you so you can pick a contact. Just because an app uses your contact list, doesn't mean it's uploading to the developer for nefarious purposes.

      The whole point of the permissions is so you can decide. So spare us the righteous indignation and get some therapy, you desperately need it.
      • You almost had my vote...

        ...until I read the last paragraph. The all or nothing permission system in Android is definitely better than nothing (at least it's easier to see what the app is accessing), but I see no logical reason not to give the user the option of deciding which permissions to give which app.
        John L. Ries
  • Store type DOES matter

    The Play Store's permissions are written in completely plain English. Very easy to check, go on actually USE the Play Store... Unless of course you're using Gingerbread or something... At least from JB (probably ICS) all permissions are in complete layman's terms with a short description for every one of them too.

    Another non-researched, clueless article from Kingsley
    Andrew Hargrave
    • Don't know about that one

      Yes, you get a long list of permissions that you might understand if you looked at it for 15 minutes or so, but nothing about why the app needs them, and it's always all or nothing (grant all permissions or don't use the app).
      John L. Ries
      • That's the key

        no information on why it needs permissions and no way to selectively give it permission.

        If I want a camera app, but I don't want it to put location meta data into the files, it doesn't need access to GPS or location services, but the rest of the functionality would be unaffected.
  • Not clear at all

    I think Android permissions are too blanketed. Google and facebook for example both want access to everything which is not right. Apps looking for permissions should justify the need for that particular permission for the working of the app. It is not the fact of needing to modify the client list but if so why does it need to. Where does it relate to the working of the app. In some windows programs if I need to do something it asks for permission at the time I am doing it not a blanket permission for an app to arbitrarily call out or take pictures and audio. I should never have to give a permission like this as the developer could take advantage and do so anytime. Does it happen, most likely not or at least not often. The fact the permission is given means however it could and that isn't right.
    • Not clear and too broad

      If an app can send a message on my behalf I can understand it needing "access to my contact list" but what type of access does it really need? In some cases it isn't clear whether it can modify the list or only read it -- unless it is an app whose purpose is to manage contacts, it probably shouldn't be able to write to them. And, in truth, unless there is some good reason for it to display the list in another context it shouldn't even be able to read it -- it should call a routine in Android to have the system present contacts to me, let me choose one, and have only the data for that contact returned to the app. Too many of the permissions seem to just give Carte Blanche to important data to achieve something which only requires access to small selected amounts of data. The OS is giving up too much control and I don't really know whether it is because the OS wasn't written to allow controlled access to the data or if the developer simply decided that they wanted total access -- without knowledge of what is possible I am in no position to judge that the developer is making an unreasonable request.
  • Google really damaged their trust from me...

    ...when they removed the ability to go into each app and granularly assign permissions. Their reasons for removing this feature were lame at best. I love my Nexus 4 and got it for the updates of pure Android but I am really thinking of Cyanogenmod to add that feature back.
    Rann Xeroxx
  • Boot completed is such a great event...

    Write a broadcast receiver to start a service, and boom, the only way to get the app out of memory is either to uninstall it or manually kill it. And considering that most Android fanboy filth will condescendingly tell you, "Why do you need to kill an app, the system will take care of that for you", most users have no clue how to kill a process. Android, an operating system written by brain dead buckets of puke for the serial killer stalkers of the world.