Friday, July 26, 2013

Android 4.3 refined app permissions

The key elements of discussions on app security on iOS vs Android (e.g on Tech News Today, All About Android, ... and others) have always been like this:
  • on iOS you as a user doesn't know anything (because he doesn't have to... Apple cares, so you don't have to)
  • on Android you know the permissions of the app and accept them (during installation), but still can't do anything about it (except for not installing, or rooting in some cases)
I always wondered, why the app manager or security manager did not let you change those permissions after installation as well?

It works like this: in order to do something privileged like placing a call, reading contacts, accessing the internet, ... anything outside the "sandbox" of the app, the app has to declare this in the manifest that comes with the app. If it is not declared, it is not granted, and the activity (e.g. reading contacts) will fail.

Now, with Android 4.3 it seems there is a tool to change those permissions during the life cycle for the app - see screenshot.
See also here on Android Police or here on TechCrunch.

This is really great: you can no e.g. enable location access / GPS for the one or two times you really want an app to have it, but revoke it afterwards...

One caveat, though: I'm afraid that most app developers are lazy and rely on the old model. That assume that the app will have the permission(s) simply because it asked for it during installation, so they will on catch the fact/error that the permission has been revoked, and simply crash.

Expect one or two iterations of some apps to fix this....

Still a huge improvement.

No comments: