Mobile apps are harvesting entire address books and uploading them to ad servers, tracking users’ movements via GPS, and doing other nasty things. But Android’s permission system doesn’t do enough to help users fight this.
Android’s permission system offers an all-or-nothing choice that most users will ignore. The hidden App Ops interface looked like an in-development solution to this huge problem, but Google has now removed it entirely.
Why Android’s App Permissions Are Broken
When installing an app, you have a single choice to make. You can choose to grant it every permission it asks for or just not install the app. In a perfect world where apps asked for only permissions they need, this would be fine. In the real world, this doesn’t work well at all.
Apps ask for many more permissions than they require. Typical ad-supported apps will ask for everything from the ability to access your contacts to track your location via GPS. This means that they could harvest your entire address book and track your exact movements via GPS. This data could then be sold to other advertisers.
Android users are trained to ignore app permissions requests because the lists of permissions can be so long and every app, even reputable ones, ask for so many permissions. It’s difficult to manage and understand.
For example, the official Facebook app for Android currently demands nineteen separate permissions. When installing this app, you give it access to your precise GPS location, contacts, microphone, camera, accounts, phone calls, and more.
Even typical free games often require long lists of permissions for contacts, GPS locations, and other data you may want to keep private.
How Google Just Made it Worse
Android 4.3 brought a hidden feature named App Ops. This wasn’t directly exposed in Android’s interface, but provided a built-in way to easily manage app permissions without rooting your device. For example, you could install a free game, and then visit App Ops to prevent that game from accessing your contacts or GPS location.
App Ops put Android users back in control of their own personal data. It seemed as if Google realized they needed to do something about the permission situation. In the past, new features have been hidden before being integrated into the main Android system. For example, Android user accounts appeared hidden in Android 4.1 before being polished and exposed in Android 4.2.
Privacy advocates like the EFF and Android geeks were hoping to see App Ops integrated in a future version of Android.
App Ops was still around in Android 4.4. In a recent minor update — Android 4.4.2 — Google removed access to App Ops. Android users can no longer manage app permissions without rooting their devices or installing a custom ROM.
Google says this was not supposed to be a user-facing feature, but was always supposed to be an internal feature for Google’s Android developers to use. Other people have also spoken up, saying that we haven’t really lost anything because App Ops was never an actual user feature.
But we have lost something. It seemed like Google was moving towards giving Android users more control over their own private data, but we’re now moving in reverse and taking away control even from Android geeks.
We Can’t Just Say Users Are Responsible
Some people think this entire problem boils down to user responsibility. Users have a choice when installing an app whether they want to install that app or not. If they choose to install the app, they shouldn’t be surprised if their entire contacts list is uploaded to a server somewhere, if their movements are tracked by advertisers, if the app uses their microphone to eavesdrop on them, or if the app runs in the background and sends premium-rate SMS messages (this is no longer possible in modern versions of Android, thankfully).
This isn’t acceptable. Android isn’t just used by geeks, it’s used by many “normal” people around the world. In fact, it’s the most popular smartphone operating system worldwide. Google has an obligation to design Android in a way that puts smartphone users in control of their devices. The devices belong to smartphone owners, not app developers.
We should design technology to be usable by everyone, not just geeks. Android doesn’t make it possible for users to make real decisions about permissions. If so many peoples’ data is being harvested against their wishes, that’s a problem Google’s Android developers need to fix. It’s not the user’s fault.
This isn’t all theoretical. An Android flashlight app was recently fined for deceiving users and tracking their GPS movements, while a variety of apps have been found uploading entire address books in the background. Users need control; the situation is getting out of hand.
The Real Solution
So what would an actual solution to this problem look like? Well, just look at Apple’s iOS. There was a time when the iPhone and iPad just relied on Apple’s app reviewers to make decisions and every app had the maximum permissions it could have on your device. In this world, Android’s app permission solution was far superior to Apple’s app permission system. At least you could know what an app would do and make an informed decision whether to install it or not!
But Apple hasn’t stood still. In response to criticism, Apple’s iOS now has an app permission system. If an app wants to access something private like your contacts, GPS location, microphone, or other data, the app has to prompt you before accessing it for the first time. This decision makes sense in context, when using the application. A user can choose whether to allow the permission or deny it. You might install an app on your device and refuse to allow it access to anything, but continue using the app. You might install an app and give it access to your GPS location but not your contacts. This is all up to you — you, not the app developer, are in control of your own device and data.
Android has stood still, and still offers no decision beyond whether to install the app or not. Apple’s iOS now beats Android when it comes to app permissions in the real world, offering actual control that normal users will make decisions about.
Android should allow normal users to make real decisions like iOS does. It shouldn’t present you with a list of 19 permissions when installing an app and then give the app free run of your entire device.
The vast majority of apps seemed to work fine when restricted by App Ops. It there are some minor teething pains for app developers, so be it. Windows app developers had to struggle when Microsoft introduced UAC years ago, but it ultimately made Windows more secure.
Does Google Even Care?
It’s one thing to suggest that App Ops is overkill for typical users, as it probably is. If Google had said they were planning on introducing a simpler interface that would allow typical users to control access to things they care about — contacts, location, microphone, and whatever else — we (and privacy advocates like the EFF) wouldn’t be so critical.
But Google is saying the feature was only intended for developers and is removing it entirely. Yet, Google leaves an entire Developer Options menu with developer-only features accessible to everyone in Android. Why the contradiction?
Google seems to think that giving app developers access to everything they ask for is more important than giving users control. As an advertising-supported company, perhaps Google is just siding with advertisers against users. Perhaps Google honestly believes that your contacts, GPS location information, and other data isn’t necessarily private, but should be available to all advertisers who want it.
After all, if they believed this data belonged to users, they’d give users more control.
Google should restore access to App Ops and make it usable for average users. It’s the right thing to do. The EFF agrees.
Image Credit: Robert Nelson on Flickr