As I’m trying to be a responsible cyber security academic, many app updates on my Android phone provide me with a dilemma. When Google Play offers an app update, it doesn’t normally tell me whether it fixes vulnerabilities, or just changes functionality. So, from the security perspective, I should just install the update; from the privacy perspective, however, when the app update wants new permissions I should refuse it.
I’ve gone on record before that I don’t use the Facebook app on my mobile. My phone contacts haven’t given me permission to share their phone numbers with Facebook, and the app somehow wants to read my text messages too.
In practice, I always have some updates remaining in Google Play that don’t get installed because they want permissions added that I don’t think they need. Sometimes that’s not even really from a privacy argument but merely stubbornness.
I/O 2015: “More Granular Permissions”
During the recent Google I/O Event, news came through that Android M would have “more granular permissions”. More granular is good: apps don’t need to grab a whole set of permissions to be able to do a little thing. But I tweeted in response saying that I needed more changes to the permissions set up to update (for example) the London Tube Map app, as I don’t want it to access my calendar at all. As far as I’m concerned it’s feature-bloat: my use of the app doesn’t require it, and if they insist on adding a feature that does, that feature should really ask for permission as and when (not possible in Android now).
An interesting discussion with the makers of the London Tube Map (@TubeMapLondon) followed. It turned out that the app actually didn’t have a feature using the calendar! Rather, they were catering for adverts that might want to add calendar events. My first objection to that was that ads could use apps with the appropriate permission to change the calendar, rather than doing it themselves. More importantly though, surely this couldn’t scale? All apps with ads, grabbing all the permissions that all their ads might potentially want? I stuck with not installing the app (it also wants in-app purchases, media, and call info, by the way) and thought no more of it.
Weeks later, on my next visit to London, I used the London Tube Map app again (still the old version, of course). With ads. And suddenly it all became crystal clear. Ads served by … Google. The same Google who give whatever permissions they like to the built-in Android apps that you can’t remove. They own the platform. By serving the ads on third party apps, they own the platform twice over. No wonder they’re a bit arrogant about permissions, and no wonder app builders don’t object too loudly to being forced to ask for permissions they don’t need.
Today, the Future of Privacy Forum has a post which suggests Android M will indeed allow what I was hoping for. Apps install with only the essential permissions, and the extra ones can be enabled (or refused) at the time that the extra features need them. Looking forward to that!