Permission Requests are the main reason why I cancel app installations on Android
I like Android apps a lot, and I enjoy the discovery as much as I enjoy discovering new desktop software.
I do skip the installation of Android apps that I discover fairly often though, probably 50% or even more than that.
The sole reason why I'm canceling the installation dialog after hitting the install button on Google Play is if an application requests permissions that I think it does not require for functionality.
For instance, I stumbled upon Music Radio recently which plays songs that you enter using Internet Radio. I like the concept but when I noticed that it requires SMS permissions, I canceled the installation process immediately.
I cannot come up with a single reason why an Internet Radio application would require access to the SMS system on the device.
There may be an explanation for that but it is not listed on the Google Play page of the app, and since I cannot think of a reason, I canceled the installation.
Obviously, if I would install a messaging applications that supports SMS, that permission would make sense and I would not have issues installing it based on that.
If you look at Android's permission groups, you may find permissions listed there that you consider critical while you may not have issues with others. I do think that most permissions can be critical in one way or the other though, especially if they are requested by an app or game that should not need those for its functionality
Whenever I click the install button on Google Play, I go through all permissions that an app requests to determine whether it makes sense that it requests those.
Here are some examples of apps and games that I did not install because of the permissions they requested:
- Flow Home, an Android launcher: Requested Identity, Contacts and Location.
- Iconic Quiz, a quiz game: Requested device & app history, identity and device ID & call information.
- Lumi, a news app: Requested Device & app history, identity, contacts, and Device ID & call information.
- Retrica, an Instagram like app: Requested Device & Call informatino
- Solid Explorer File Manager: Requested Identity and Device ID & call information.
There may be explanations for some or even all of the requested permissions but since they were not listed on the apps' page on Google Play, I could not verify those.
I have my reasons for doing so. The first is that I want to avoid privacy-invading applications. I don't want my contacts lists, call history or messages to leak to some obscure database on the Internet.
While leaking is bad enough, there is also the chance that applications abuse the permissions for malicious activities.
I'm not saying that this is the case for the applications and games listed above but I prefer to play it safe.
What about you? Do you check permissions before you install apps?
The infamous permissions on Android are the reason why in 2013 I chose to sell Note 2 and stay on iPhone, which enables you to grant or deny single permissions to apps (as opposed to “take it or leave it” on default Androids). And the situation is even worse with Windows Phone (I hear Windows 10 will finally remedy this to enable granular permissions).
I’m not particularly fond of anyone of these three (I still think Nokia N900 was *the* best smartphone ever), but for now I’m still sticking with iPhone, although this might change in the future. Android gets better after rooting, when you can enable more permission control with AppOps (not all versions) or XPrivacy or similar.
I dislike Android’s permission system, and even more so after Google introduced permission groups.
Oh dear …. if you are concerned with privacy, staying with the iphone is no better than android!
On IOS, you have to manage permissions on an app level in three places: the app itself, the privacy permissions category, the notifications category, and background app refresh category.
And like Android, turning certain permissions ‘off’ can cause an app to stop functioning, even when as Martin has noted, the permission is not logically required for the app in question.
Frankly, both IOS and Android are terrible in assisting users with protecting their privacy. I have one rule I use: whatever information is on my smart phone is open for others to see and use, with or without my knowledge.
Rick, it makes sense to assume that everything is accessible, but how do you handle private phone numbers and emails then for instance?
Emails … easy … I don’t have my regular email accounts on the phone. If a client sends an email to one of my ‘fun’ accounts by accident, it won’t come through as I have a redirect at the server level so the phone never gets it.
I have written a small Android app to notify me if an email is received in one of my business email accounts, and then use a laptop/pc to access. A bit of an annoyance to be sure, but one that I’ll live with right now rather than having the content of my email sent to lord knows who (or keywords indexed etc). By writing my own app, I know exactly what is sent out from my phone, and all content is encrypted from cradle to grave, so even if an app were to intercept the login info, it would be useless to them.
Phone numbers … handled by two phone numbers. Everyone can call one number and I have call forwarding enabled to direct the call to either my smart phone or my ‘dumb’ phone, depending on who is calling. So basically, I have circumvented the smart phone calling features for sake of privacy/confidentiality when needed.
Utterly impractical solution for the “average” user.
Rick, to your utter dismay one day you will find out that after all that no one was following you and no one was interested in your data. What a disappointment it will be.
Cheers
Mark
solution:
UU AppPurifier Free
Without ROOT, make your Android phone as smooth, safe and battery-saving as iPhone!
Get UU AppPurifier for FREE http://www.uusafe.com/
UU AppPurifier makes your phone accelerated and privacy-protected. Thanks to it, your device will run as smoothly and lastingly as it did first day, no matter how many apps installed.
You can turn off autorun and background services to boost your phone; allow or deny the permission to access your sensitive data to protect your privacy. All these can be done by “Purifyâ€, making your device faster, smoother, and much more productive!
Highlights:
★ NO ROOT needed
★ Boost your phone and save battery
★ Protect your privacy
★ No ads and all FREE
★ Available from Android 4.0 to 5.1
Absolutely no info on privacy policy and not available on Google Play? Hmmm….like diving from a 10m platform without knowing how deep the water is :)
Pass.
I smell spam.
Should be called http://www.unsafe.com/ lol ;)
@mau: your information page is far too sketchy and devoid of information to take seriously for even a moment. You need to flesh it out considerably.
Riiight…nice plug
XPrivacy.
Problem solved.
XPrivacy does seem to be the best tool, currently.
(but it doesn’t support Android Lollipop?)
If anyone knows of a better solution, I’d sure like to learn about it.
code (also screenshots and FAQ):
https://github.com/M66B/XPrivacy
support discussion thread:
http://forum.xda-developers.com/xposed/modules/xprivacy-ultimate-android-privacy-app-t2320783
bugs / issues:
https://github.com/M66B/XPrivacy/issues
“XPrivacy can prevent applications from leaking privacy sensitive data. XPrivacy can restrict the categories of data an application can access. This is done by feeding an application with no or fake data. There are several data categories which can be restricted, for example contacts or location. For example, if you restrict access to contacts for an application, this will result in sending an empty contact list to the application. Similarly, restricting an application’s access to your location will result in a fake location being sent to the application. ———— XPrivacy doesn’t revoke or block permissions from an application, so most applications will continue to work as before and won’t force close (crash).”
5,000+ user reviews (4.3 average rating):
https://play.google.com/store/apps/details?id=biz.bokhorst.xprivacy.installer
pro version $5.85
https://play.google.com/store/apps/details?id=biz.bokhorst.xprivacy.license
(only 147 user reviews for pro version; rating ave. 4.7)
“pro license is required to access the crowd sourced restrictions: https://crowd.xprivacy.eu/ “
They say it is easy to use. I’ll bet that after I spend the day figuring out how it works and what it does I’ll agree. :-)
I am going to spend the time, though. I’ve wanted a comprehensive solution to this problem for a long time. I particularly like the fact that they have a repository of crowd contributed permission configurations for about every app (if I can figure out how to use it.)
Android’s ‘all or nothing’ permission system is beyond ridiculous, especially considering the insane levels of permissions some apps require, that have no business asking for them.
As namesib says, XPrivacy, it’s a module for the XPosed Framework (only in Alpha for Android 5 though, which is why I’m still sticking with 4.4 for the moment). It allows you to block or spoof any permissions and the data they request. Slightly tedious the first time you run an app, as it pops up to ask on each permssion, but after that it runs silently in the background.
Also, and slightly simpler, if you’re rooted, AppOps launcher enables the permissions page that was briefly in a previous version of Android. Again, might not work on Lollipop though.
And finally, a firewall, but that only works if the app requires no internet access, other than for ads and tracking.
Unfortunately we are at a place when it’s too late.
My point is when you are ‘participating in the game’ then your expectations should be lowered. I try to choose apps based on reputation or may be my absolute needs. Then not worry too much after they are installed.
Try mobiwol no root firewall.
Set app permissions as
wi-fi and/or data, turn off background. Been using it for about 2 yeas now.
you can get it on google play and here is its website
http://www.mobiwol.com/
Whoever develops a site that filters Google Play by permissions would make money through advertising to all the traffic. Just got to patent it first or Google will copy and kill it.
I’m a late visitor to Android. Managed for years with a Windows desktop, got a Windows/Ubuntu laptop when space became a problem. Finally got a cheap tablet (Hudl2) when mobility and typing became a serious problem. I love the touch tablet concept – but I hate Android. To the point where I almost regret every bad thing I said about Windows (and that was a lot.)
As far as I’m concerned, Android is designed with user priorities right at the bottom of a very long and very commercial list. Quite apart from the massive unremovable crapware that seems to be on every machine, I think it’s just plain dangerous. I know other tablet OS’s are available, but not for those on moderate incomes. Why the hell can’t we buy cheap Linux tablets?
And this is exactly why I do not use Android devices.
So Vrai, which devices do you use than? Apple? I agree it’s much better. They just send all your traffic through Apple servers first.
There are no devices that don’t do some kind of privacy or tracking, just as there’s no software that doesn’t either – such a device would prove to be useless in the long run. I hate to say it, but… “the price you pay” to participate in today’s highly connected world is some person, or a company, or some of both know about you and what you’re doing whether you like it or not.
Thinking you can still be safe and have total privacy to near-complete percentages is simply deslusional.
I do the same. I do check the permission when I install apps on my android smartphone.
And google recently did a very bad thing with the play store. Now internet access by an app is ‘common’ thing. When you install an app you will never know which permission it wants. You need to scroll down the app info page, and tap on ‘Permission details’ to know about all the permission it wants. Here look at the screenshots:
When you ‘normally’ install an app you will see this : http://postimg.org/image/6ukiurcsf/
You will think the app just needs camera access. But when you scroll down and tap on ‘permission details’ you will find some disturbing permission : http://postimg.org/image/la08a4fqh/
And check the reviews of the app. Its the highest rated app peoples say “Its the best flashlight app, and it only needs camera access.” They don’t know that it has access to more things like internet access. Don’t know why people are so dump.
Google made it hard to know the permission (in play store) unless you scroll down to end. Not suprising since they are advertising company and all the contacts, sms, call data in their cloud.
And my rant ends here and my bad english too. But I hope you will understand it and will be cautious before installing an app.
“Permission Requests are the main reason why I cancel app installations on Android”
Ditto.
But here’s the rub: Firefox asked for every permission under the sun and I allowed that. Ok Firefox might not *use* many of those permissions directly, but rather map them to HTML5 functionality it opens up to website authors, but therein lies the real problem: the web has a far inferior (some might say absent) permission request model.
I’m a webdev. I only use ‘smart’ phones reluctantly. They’re very inferior to any other form of computing. I hate that apps have heralded the return of closed source code. Combined with ‘social’ media, ‘smart’ phone apps are perhaps the biggest threat to the open web since IE’s proprietary APIs. However here’s the web, theoretically providing any radom website author with a gateway, or ‘vector’ for anything from mildly nefarious to immensely destructive malware sites on our phones. Sure there’s a level of user choice. We might occasionally be prompted with a “do you want to share your location” prompt. However there’s actually nothing in place (that I’m aware of) that displays all the possible functionality a website has access to, hidden away in the JavaScript (JS) that most people automatically load, and requests permission to *potentially* do so.
I’d suggest the security models for both the web and phone platforms are flawed.
On the web you can disable *all* JS functionality on a per-site basis but this leaves the user clueless as to which features of the app are dependant on JS and which, if the developer’s even bothered to provide fallbacks, isn’t. Similarly tools are available to block cookies, trackers, plugins and a variety of other functionality. But always on a basis that is generally too excessive or not comprehensive enough. Furthermore, when those tools are used, it’s usually up to the user to clumsily wade through the mess left behind to try and get some sort of effective experience from the website.
On phones, apps ask for all their permissions up front. However again, it’s not clear which functionality will actually use those permissions, when and how. There’s also no option for the user to try and run the app in a limited permission manner in order to see if perhaps that one piece of functionality they might actually want, is usable without any of the invasive permissions the developer requested. Beyond that, there’s no certainty updates to apps won’t change the way they use the permissions granted in an initial install.
The answer is very simple: a stricter permission model for the web must be developed and the upfront, per-app, phone’s lifetime permission request screen for phones should be stopped. Apps should also be prevented from running user-compromising functionality during install or onload so that like browsers, there will be at least some UI in place from which user’s can get some context for the permission request they will get.
From here, any time a website or app wants to do something that might compromise the user, permission must be asked though a richer confirm() style prompt. This need not prevent sites from loading JS automatically because the permission requests will be bound to events that request functionality. Developers will simply have to stop doing as much, if any, potentially user-compromising functions onload.They’ll have to prompt users for permission the first time functionality is requested, once per session, and once per domain for websites. To reduce the number of requests, the confirm() style prompt can be slightly richer in that it can offer an option to “trust this site/app to do anything (this time)” and perhaps “Trust this site/app to do anything forever”.
Quite simple really. JS developers are already familiar with only using functionality on an event-driven basis. Sure there’s some events that do not necessarily ever trigger user interaction, like onload. This is why browser devs need to built the prompts into the browser’s internal JS enging itself and thus it’s not left to developers to respect the need to offer their users permission requests.
Hello Martin & Everybody…
This was/is my solution: Privacy Guard, part of the system CyanogenMod already…
Totally full control of any apps, even the built-in system ones.
Hope it helps. ;-)
App Ops helps to some extent. https://play.google.com/store/apps/details?id=com.findsdk.apppermission
And strangely enough, it seems to work on LG G2 with Lollipop.
Not everyone can install cynogen…. it just supports high end flaghip phone.. ;(
You may realize that the permission itself isn’t that what you always look at, for example an app can use every permission that is available but not use any code to call xyz feature. So permission or not it’s still possible to execute most malware stuff since most of the apps need internet for sync, ads, banners, stats,… So the most problematically is only internet and SMS and nothing else, good luck blocking them,…. You simply can’t without any external firewall or you must use another free addon without internet permissions.