[Discuss] Android privacy

[tmetro+blu at gmail.com (Tom Metro)]

Shankar Viswanathan wrote:
> Edward Ned Harvey wrote:
>> The problem there is...  Everyone's going to remove internet access
>> from all the apps that use ads.  Developers don't get paid...
> 
> That's absolutely true, and that's probably the exact reason why
> Google has not implemented a finer grained permissions policy for
> Android apps.

There is some recent news on this front.

http://arstechnica.com/gadgets/2013/06/how-cyanogenmods-founder-is-giving-android-users-their-privacy-back/

  How CyanogenMod's founder is giving Android users their privacy back

  New "Incognito Mode" enables more granular privacy settings than in
  stock Android.

  Every time you install a new application on Android, the operating
  system asks you to review the permissions the app requests before it
  can install. This approach to user data is certainly precarious
  because users can't deny individual permissions to pick and choose
  what an application has access to, even if they still want to use that
  app. Incognito Mode could potentially fix this conundrum, enabling
  users to restrict their data to certain applications.

  Kondik, a lead developer with the CyanogenMod team, published a post
  on his Google Plus profile last week about Incognito Mode.

    I've added a per-application flag which is exposed via a simple API.
    This flag can be used by content providers to decide if they should
    return a full or limited dataset. In the implementation I'm working
    on, I am using the flag to provide these privacy features in the
    base system:

    -Return empty lists for contacts, calendar, browser history, and
    messages.
    -GPS will appear to always be disabled to the running application.
    -No fine-grained permissions controls as you saw in CM7. It's a
    single option available under application details.

  Incognito Mode isn't an entirely new concept. An older version of
  CyanogenMod, CM7, originally had a similar feature that allowed users
  to revoke permissions from any application. It was popular among
  users, but its initial implementation was plagued by a few issues. "If
  you just revoke a permission from an app, the Android system will just
  crash it when it tries to use a feature that requires that
  permission," Kondik wrote. "The solution to this was to create fake
  implementations of the features which are to be revoked. So if an app
  tried to query your contacts, it would get... something else."

  There is some hope that Google might look to CyanogenMod as a model
  for future versions of its Android operating system. "When it's
  complete, I do plan to upload it to the Android Open Source Project to
  see if it gets any traction," wrote Kondik


It sounds like an approach similar to what Whisper Systems was working
on. It avoids the situation Ed cited by not having an option to limit
net access. Only options to limit access to your private data stored on
the phone.

And just yesterday this news broke:

http://www.engadget.com/2013/07/26/hidden-permissions-manager-android-4-3/

  Hidden permissions manager found in Android 4.3,
  lets you set the rules

  ...what if you could grant applications access to some parts of your
  smartphone and not others? That's something Android Police have
  discovered is already baked into Android 4.3, and it's called "Apps
  Ops." The feature is hidden by default, but can easily be enabled via
  a third-party app in the Play Store, which brings it to life and
  allows you to fine tune other apps' permissions to read your contacts,
  access your location via GPS, or even read your call log.

And:
http://www.androidauthority.com/android-4-3-permission-manager-how-to-249538/

  Android 4.3 permission manager; what it is and how it works [HOWTO]

  For instance, Facebook wants to read your call logs. We have no idea
  why Facebook would want to read your call log, but it does. The idea
  behind this Permission Manager hidden in Android 4.3 is to give you
  control over what permissions apps are allowed to have. So if you
  don't want Facebook to see your call logs, you can tell it to stop.

  As Android Police reports, this hidden feature is actually accessible
  to anyone who is running Android 4.3. So if you have that lovely
  update, this is available to you right now. ... Keep in mind that the
  app will still work, it just won't be able to do those things. So if
  you, for instance, check into places over Facebook, turning off the
  location permissions will likely make that feature much more difficult
  to use.


Awesome.

  ...some permissions don't even show up until you use them in the app.
  In his example, the "Camera" and "read call log" permissions didn't
  even show up until he imported his contacts into Facebook and then
  posted something with his camera. So keep in mind if you try it out,
  you may have to fiddle with the app a little bit to get all the
  permissions to show up.


Hmmm...that sounds buggy. Though oddly no mention of apps crashing.

My Nexus 7 hasn't updated to 4.3 yet, so I haven't tried this.

I haven't read any explicit mention that network permissions are
included in the ones you can control, but the last article says you'll
"be presented by every permission that app uses with a handy on-off
switch." Implying that network connectivity should be included.

The first article notes when talking about an earlier, more granular
implementation in CM (that sounds a lot like the implementation in 4.3):

  The feature also required users to manually micromanage the
  permissions that were granted to an app. "I'm of the opinion that
  anything that requires excessive configuration is almost always a bad
  user experience and is only going to be useful to the most technical
  of users."

A good point, and it is highly likely that the Android 4.3 permission
manager will never officially be exposed by Google. It's there for
developers to test their apps to make sure they don't crash in the
absence of resources, and possibly for advanced users to tinker with.

Most likely Google will implement a far less granular "incognito mode"
as was done in the latest CM, or as mentioned here:
http://www.engadget.com/2013/05/30/google-svp-were-working-on-enhanced-privacy-features-android/


I don't get why this is enabled by a third party app (made by
Appaholics). How did they know about it? Are they part of a select group
of developers seeing pre-release versions under NDA? Did Google contract
them to build this, or did they do it on their own? Why didn't Google
create the app?


Shankar Viswanathan wrote:
> Consider
> a two-tiered permission system consisting of: 1. Required
> permissions: these are permissions that the app absolutely requires.
> This list of permissions would be very similar to the current
> permissions list: accept all or don't install the app. Connection to
> an ad server could be listed here. 2. Optional permissions: a list of
> permissions that may enhance the app functionality in certain ways,
> but is not essential. There would be a checkbox against each
> permission in this list and the user can choose to grant/deny each
> particular permission as he/she feels fit.
...
> the default for the optional permissions could
> be made "opt-out" and the majority users would blindly click "Accept"
> (no different than today) and the more discerning users could choose
> to deny certain permissions. The choice could be saved at install
> time and possibly have a method to change the choices later.

It's sounding like that's pretty close to what we will end up with,
except the checkboxes won't be readily exposed to all from the Play app
dialogs.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/