On Android’s Application Permission Systems
I’m a big fan of Android’s permissionmodel. To recap, it’s a system where you’re told, in advance,the rights that an application requires to run. A simplecalculator, such as the excellent RealCalcScientific Calculator, should demand no permissions at all.
It can’t send or receive data on the internet. Nor can it readmy phone number, SMS messages, make calls, etc. I know, by therights system, the “surface area” exposed to it.
Other applications, such as the ZXing Team’s Barcode Scanner, have a much broader rights demand (click onthe permissions tab). I originally put off installing thatapplication after seeing that it demanded the right to read andwrite contact data. I later learned that it uses that to turncontacts into barcodes, and to import contact barcodes.
Angry Birds Screws Up
As ideal as the Android security model is, it was widely pannedas being too complex for an average user. That users wouldsimply click past the warnings, as they tend to do when it comes tosecurity matters.
This past week Angry Birds pushed an update that added a newright request: the ability to read and send SMSs on your device.Such a right change disables auto-update for the application,forcing the user to approve or deny the new version. Many usersdenied the update, many taking to the comments to raisethe warning bell about this disturbing change in permissions.
People were paying attention. Rovio quickly attributedit to human error (?) and pushed out a new version that retractedthat permission escalation.
It was an excellent example of the permission system workingbrilliantly, and perhaps an example of a small subset of usersacting as the sheepdogs, looking out for wolves.
How The Permission Model Can Be Improved
Aside from the third-party curation of the market that I described previously, whereby a third party could validate appropriate permission sets relative to the functionality of the application, one huge improvement would be the addition of optional permissions.
In the case of Barcode Scanner, it has access to a large surface area despite the fact that I have no intention of ever using that functionality of the application. Ideally I should have been able to deselect contact access, for instance, and the application simply, through discovery, disables that aspect of the application.
Optional permissions would stop the “kitchen sink” element of permissions that is growingly common.