Google's backward step on Android app privacy

Google's backward step on Android app privacy

Summary: The latest changes to Android's app permissions takes a broken model and makes it worse. It's time for a complete overhaul.


"To help make it easier to understand what an app will have access to, the Play Store has recently made improvements to how permissions are displayed," writes Google, explaining its new "simplified" permissions model for Android applications. "This information can help you make an informed decision more easily on whether you would like to install the app."

Except that it doesn't. It's broken. It's more like a dumbing down than a simplification. And it deliberately introduces a way for apps to change their permissions without notifying the user and gaining specific consent. It's just wrong.

Google's heart, if it has one, may have been in the right place when they started work on this. App permissions are notoriously hard to understand, even for technically aware users — something that Facebook seems to have turned into a business model. If users are confronted with a long list of options to review, they won't read it, let alone understand it — which means they can't really be said to be giving informed consent.

Google has therefore created 13 "permissions groups", one for each broad area of device functionality — location, SMS, camera and microphone, device ID and call information, and so on. While you can drill down into each category and see which of the more fine-grained permissions an app is requesting, Google clearly intends that most users will just look at the top-level permissions groups and make their decision on that basis.

And that's the problem.

"Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted," Google writes.

So great. It's now possible for an app's permissions to change during an automatic update without the user being informed.

Let's say an app asks for your coarse network-based location data when first installed, and you install it on that basis. Later it could up that, to access your fine-grained GPS-based location, without you being told.

Or an app might initially ask for permission to receive SMS messages, but later up that to being able to edit and send them invisibly.

They're just two quick examples. Please don your tinfoil hat and spend a few moments thinking up more ways to cause mischief by upping an app's permissions after the fact.

How about this idea. You start by creating some stupid novelty app. Something like the embarrassingly stupid Yo, which does nothing more than send the word "Yo" to other people with the app installed. Somehow Yo has already scored $1.2 million in investment. You ride the viral wave, then wait for people to get bored and forget about it. But the app is still there, running some background communication process. It gradually ups its permissions in successive automatic updates. Six months later, you've got an instant mobile botnet.

Google says it has systems to scan apps and "evaluate some of the permission requests that were previously displayed in the primary permissions screen, flagging and removing apps with potentially harmful code", however. So presumably they work perfectly and this scenario is just my fantasy, right?

Now of course you could always turn off automatic updates, and manually review every app's permissions at every update. But if the whole point of this change was truly to make things simpler — and I have no reason to doubt Google's word — then it's failed. The alleged simplicity require you to give up informed consent.

Google's problem is that they're looking at app permissions from the app developers' point of view, in term of how things work under the hood, not that of the users and their interactions with the world.

There's a permissions group called "Identity", for example, which contains access to user accounts and their contact cards. But over in the "Device ID & call information" group, there's access to device IDs (such as EMIE) and phone number. I'd put money on the average user considering them to be identity information too, given that smart devices are personal devices, no matter where they sit in the operating system architecture.

Which brings me to one of my pet gripes.

This entire model for app permissions is useless. It's based on an old-fashioned systems administrators' view of file systems, not on the data and its uses.

This model assumes, for instance, that being able to read data from a device's storage is less dangerous that writing to storage. But from a privacy standpoint, it's often the other way around.

I don't mind a social camera app taking a picture now, when I press the button, and then sharing it to the network and writing it to storage. But I'd rather it didn't rummage through the other photos on my phone. I don't mind an app accepting an inbound message and adding an entry to my calendar, but it has no business looking at what's already there, and certainly no business exfiltrating that data over the network. And I don't mind an app looking up the phone number of a specific contact when I want to message them, but let's not do a Snapchat and steal my entire address book, OK?

There's also a problem with the all-or-nothing approach to app permission requests. If I want to use just some of the app's functionality, I still have to give it everything it wants — or do without.

Apple's iOS lets apps ask me for specific permissions as they're needed. Can this app have access to your contacts? Can it know your rough location? I answer as I wish, and developers who are used to writing in this environment are encouraged to provide a graceful degradation of functionality if I refuse.

Android's all-or-nothing approach might have been suitable in the industrial age, when the only way to scale up was to make everything identical. But it's time for this dull approach and the privacy-dull applications it produces to go.

"Google continues to actively look for new ways to improve how permissions work for users," the company writes. Excellent idea. How about talking to some users outside the confines of the app developer miniverse, find out how they think about privacy, do a bit of privacy engineering, and work that back into Android?

Topics: Security, Mobility, Privacy


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I know android has always had the philosophy of minimizing

    prompts during run-time, instead making it a one time thing during installation. I wouldn't say its "broken" but its just a difference in philosophy for better or worse. I've heard a lot of complaints about the way iOS works. Security is always a tradeoff with convenience. Personally I don't like being nagged with a lot of questions. I do manual updates and do verify the permissions and the reasons for them. I think if there was a big problem you'd see things being done differently by google.
    • yes, this minimizing is called iDi*cy

      these days with Sundar Pichai is a disaster for users and soon for Google

      Google should really get rid of this Android destroying manager

      soon we are going to lose root with this guy full of disastrous steps for Android
      Jiří Pavelec
      • so it's time to teach people not installing so much apps = Google loss

        so it's time to teach people not installing so much apps = Google loss
        Jiří Pavelec
  • Yo

  • privacy and google

    That is what they call an oxymoron... If your hoping google does anything about protecting privacy your barking up the wrong tree...

    In fairness you could also gripe about permissions on WP as well - I do development so I know that the bulk of permissions needed is to allow the advertising to work, but an end user doesn't know that and there's no easy way of making them aware.
    • Oxymoron

      How right can you get? It is really a wonder that ANYBODY would still trust Google with ANYTHING as far as privacy is concerned ...
      One has to come up with a total strategy to bypass these privacy issues. An although today there is of course no longer the possibility for a 100% secure environment. one can raise the barriers sufficients. My company has done that, after having consulting with a specialist in the field: : eSolve (
      • Apple has far more problems with privacy, Apple is the biggest threat in IT

        "Apple sued for collecting and selling customers’ personal info"
        "The U.S. National Security Agency has the ability to snoop on nearly every communication sent from an Apple iPhone"
        "iPhone is most vulnerable, least secure smartphone in the market, security firm finds"
        "iOS apps said to crash more than twice as often as Android apps"
        "Apple iOS Apps Leak More Personal Info Than Android"
        "40% of iOS popular apps invade your privacy without any permission"
        "iPhone Security Flaw Can Let Apps Act as Keyloggers" = Everyone knows what you type.
        "Most Mobile Banking iPhone Apps Are Full of Security Flaws"
        "Seemingly benign “Jekyll” app passes Apple review, then becomes “evil”
        "iPhones, iPads Hacked And Held For Ransom"
        "iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted"

        google is saint with Apple comparison
        Jiří Pavelec
        • Apple Accused Headline Collection

          Been collecting those for a while now, eh?

          Sorry to disappoint, but Google is by far the biggest threat to user security. They bake it into their TOS, and it IS their entire business model.

          Apple sells a product to end-users.

          Google has no product - other than the end-user - whose information they sell to advertisers.
          • Not much smart, right? :)

            are you disappointed about the facts that Apple is the biggest privacy threat?

            If Google sold data advertisers Google would lose its business. Not much smart, right? :)

            Apple and Facebook are selling our data
            Jiří Pavelec
  • I agree

    I totally agree with the article. Android's permissions is a mess. That's why I use Firefox OS now.
  • Android is an utterly broken platform

    Android is full of security holes and privacy abuses by Google and other some developers/companies make it an ugly environment.
    • Right. Also the Windows you are using is full of security holes

      And how about all those various MS abuses of privacy. There's just no where to turn these days. Maybe apple?
      • Windows isn't the only software application that has flaws...

        None of the major operating systems and the accompanying add-ons is free of flaws.

        When you're ready to develop an operating system, and then stake your life on the fact that it has no flaws, come see us. Otherwise, stop beating up Microsoft as if they are the only one with flaws. They issue patches at least. Every month.

        What does Google do with Android? You have to wait for a new version of the operating system?

        Apple has had some very noticeable flaws in some of their recent releases too.

        Let's face it. Human beings developing software will introduce flaws in their code. The real test is what you do when a flaw is discovered and how long it takes to fix it.
        • That depends on what the Goal is.

          Overall, TechPundit, you are correc, but only because all of the major operating systems share the Goal of creating on OS that is designed to allow advertisers — I.e., people whose main purpose in life is to exploit human weaknesses to earn money — to use the OS to gain access to the users. It's much the same as politics has become these days. Only the very newest politician actually represents the people who elected him or her. Most politicians represent the concerns of the business or lobbyist who pays them the most money! OS builders tailor their OS tomeet the needs and concerns of the advertisers or gaming company which underwrites them with the most money.

          NO one represents the real people who use computers or who do most of the real work in our world today. Unfortunately, I see little chance of this changing any time soon, if ever!
        • Following the MS Example?

          Microsoft has long been able to secretly change your update settings from Notify to Automatic & will then restart your PC regardless of the processes running at the time.
          Just last night I came back several hours later to check up on our spare W7 PC labouring on an extensive video rendering task only to find MS decided take over & dump it in order to update & reboot.
          Time to switch it over to Linux as well?
    • Fowlnet... welcome.

      Windows is historically a terribly insecure privacy invading OS made by a company convicted of illegal activities on more than one occasion and who's then CEO has a terrible memory when asked about such things on the stand.

      See? we can all make sweeping statements when we want to.. the difference is that everything I've said is true.. everything you've said is shilling in ignorance since you don't even own an Android device.
  • So Much easier if Google...

    Would bake access permissions into the OS on the app page.
    Sliders for:
    Allow app network access.
    Allow app GPS location access
    Allow app access to data directories other than its own.
    Yes, it would mean they'd actually have to rewrite a good part of how the hardware is allowed to interface with apps, but the public would have a much safer device.
    But, doing so also would deprive Google of revenue, because their own apps would fall into the same controlled bucket, so I doubt it would ever happen.
  • Lots of questions arise ...

    For example, I know it is possible to hack malware onto a laptop that accesses the builtin webcam. I can stop that (and have) by taping a piece of cardboard over the camera, which I can open up like a flap when I really do want to use it (very seldom). But on a smartphone or tablet? There's no way to make a lens cover stay on reliably so I pretty much have to trust that no pictures (from EITHER side of the phone) will be taken when I am not using the camera, the banking deposit app, or the QR code reader. The mikes in all such devices are even worse, because covering up the hole doesn't block the sound.

    But sometimes, the attempt to turn features off causes unintended problems.

    I have a weather app that offers the choice of using the "current location" or a zip code entered on the settings page. But I prefer to leave location OFF when at home, not only for the privacy, but to SAVE POWER. I found out that if I turn location off at home BEFORE the weather app has updated enough times to be satisfied that it IS at home, it gets lost and asks for the location. Why not have the ability to save the exact "home" location and use that when location is turned off?

    Wifi causes some other problems. I want it on at home, and when I am at a known site. But leaving it on by default wasted POWER when not in range of a network. What is worse, many business locations in my area have "free" wifi for subscribers of several (in fact, all but one) major cable TV and internet providers; just pick your company on their signup screen (which pulls up your browser, of course), sign in and you have free wifi. The problem is that I subscribe to the ONE exception, so I can't sign in. But when browsing in those locations, unless I turn wifi off manually, they keep interrupting what I am doing WITHOUT using wifi to pop up that signon screen. And even if you check the option NOT to do this again, they keep doing it.

    So am I just paranoid, or are there apps that will hide on my phone and show my face, or whatever is on the other side of the phone, along with relaying whatever I say, to some stranger, without my permission?
  • Virtually every aspect of Android is a horrific joke...

    The APIs were developed by brain dead filth. For example, the callback for the camera APIs is called, Callback. Gee whiz filth, do you suppose you're writing the only API? Endless bugs which if there were a scintilla of intelligence anywhere within the Android teams would have been fixed. And not obscure items, big items that have been there for YEARS. Comically, google is either unwilling or unable to fix this disaster. Microsoft as always is gifted an inept brain dead competitor.
  • I Detest Apple But Android Is Gaining On It VERY Quickly

    I've both Motorola Razor Maxx (personal) and an IPhone 5 (work). I detest Apple on general principles but I can't knock their hardware. I got the Maxx because it's not Apple and because I'd good luck with Moto hardware in the past and I can't complain about the Maxx in this regard, either.

    However, there are two things about Android that are really pushing me to replace the Maxx with an iThing:

    The first one is the completely over-reaching permissions that any Android app requires. I'm not really sure that iThing apps are all that much better, but I can't imagine that they are worse. It's something I'll have to look into.

    The second one is that I am completely at Verizon's mercy for updates to the OS and Verizon's update policy is lift telephone number, remove device, insert NEW device, lower telephone number. This has nothing to do with whether the phone will run the latest and greatest (?) version of Android and everything about Verizon not making any money from doing repackaging the upgrade.

    To be perfectly honest, I've given serious thought to have a phone that just makes phone calls and text messages because the things are so intrusive.