We have half of the solution required for this - there exists a per-feature based permission model that the applications are already using.
The second half is simple but requires a change on the device side - if an application needs feature X, Y and Z, then the choices shouldn't be limited to grant access or not install the application, but there should be a third choice per each feature called "fake that access being granted".
If an app claims to need access to my SMS messages, then there are two reasonable options:
1. I want the app to read my SMS, as it does something that I want with them; so I enable that feature.
2. I don't want the app to read my SMS for whatever arbitrary reason that doesn't matter and doesn't need to be justified to anyone. If the app cooperates with the refusal, then it stops at that, but if the app wants to read my SMS against my will (and, say, tests this ability to enable some unrelated feature) then that's hostile behavior and all of my hardware and software should assist me in thwarting that hostile behavior - e.g. by simulating fake data to the app, by falsely claiming to have sent SMS / made a call, etc.
The other options (including the current scenario where my device cooperates with the app developer against me) aren't reasonable and should be eliminated.
One of the reasons behind this is location, where there are a class of apps which could conceivably rely on you not being able to lie about it. (The existing mock location facilities explicitly notify apps they are mock for this reason).
However, the use of this feature for it in practice is . . . non-existent.
Google also famously went crazy when Motorola almost used Skyhook as network location provider for the Droid, on the basis that such information feeding back into their systems might be inaccurate and thus pollute their data collection activities. (They use Android devices as modern proxies for the WiFi slurping the streetmap cars used to do). As such Google have absolutely no incentive to resolve this problem as they are reliant on you not lying to them about where you are.
What's fun is J2ME got this right. Apps couldn't just assume they had permission for certain tasks, and users would be asked when the app wanted to do something. If the user refused you'd get an exception, but you were expected to handle it gracefully. It really wasn't that big of a problem, except for the user experience of the prompts some manufacturers chose to implement being fairly horrible.
Android could shift to revocable "a la carte" permissions just easily, and could ease the transition by granting sets of permissions for old apps, but substituting, for example, an empty Contacts database for the real one if the user opts out of that permission.
Google couldn't even argue that getting fake data is harmful, as long as the data is forthrightly null or unavailable. Location apps have to deal with the lack of location data. Apps that access SMS have to deal with devices that don't get SMS messages.
I hope alternative Android distributions mature to the point that some OEMs will choose to provide more-private "remixes" of Android based on these distributions and on ecosystem partners like DDG.
>where there are a class of apps which could conceivably rely on you not being able to lie about it.
I don't think having 'mock' data is the right approach, but as you mentioned below, it's enough that the relevant API simply throw a security exception and let the app handle it gracefully.
>If the user refused you'd get an exception, but you were expected to handle it gracefully.
And that's absolutely the right approach.
>It really wasn't that big of a problem, except for the user experience of the prompts some manufacturers chose to implement being fairly horrible.
That should be handled by the OS, which would completely negate this issue.
Exceptions are not a solution - instead of the OS request "grant permission X to install the app" you get an app request "grant permission X to run the app".
This is the exact scenario that needs to be avoided - if the app developer wants something that I don't want to give, then you can't rely on cooperation from the app.
The whole point is that if a flaslight app wants to read my SMS, then I shouldn't have to choose between using that app and keeping my privacy; the OS is perfectly capable of keeping that app in an ignorant bliss thinking that it read my SMS and can turn on the light.
I got so frustrated with flashlight apps asking for Internet access to show ads and getting stuck when there is no Internet (typically the same time when I need a flashlight) that I wrote one and made it completely permission free:
I'll also note the TeslaLED app as another good one - it requires camera permissions to control the LED, plus screen drawing and sleep control - I suspect around the minimum that would be needed for a flashlight app.
This is what I've always used. LampA doesn't work on my Galaxy Nexus. I was hoping it would start up quicker because my biggest peeve with Tesla is that it takes time not only to open the app but there is a hundreds of ms delay in turning on the LED. I assume the complexities causing this are also what prevent LampA from working.
hey, this looks great, but it's not actually working on either on either of my nexus 5s, is that a known issue? There's no crash or anything, the flashlight just doesn't actually turn on.
because using system flashlight app is too edgy, huh? Why you need extra app for thing you have just build in Android ? Check your widgets for "Assistive light". Problem solved.
I'm in the "let them fake it" camp, but at the same time I think the exception throwing version could work, with a single tweak borrowed from iOS: Let the app ask for the permission once, and only once. That way repeatedly bugging the user for the permission won't work as a strategy.
The original article gives flashlight apps as an example - all of the top 10 flashlight apps had such features; so "downrating the app and moving on" wouldn't be productive at least the first 10 times.
A feature that could disable certain permissions for a single app was briefly introduced in an earlier version of 4.3.x, but was removed again shortly thereafter. Apparantly, most apps were written to expect permissions to be granted and crashed pretty hard if they didn't get their way.
It is available for rooted phones running Stock Android through the Xposed framework. There it is called "AppOpsXposed".
I can understand that disabling permissions the app expects will fail, but faking the service the app expects permission for sounds like something that should work, and would be very valuable.
Yes, definitely. XPrivacy can fake data, so that works even better than AppOps, but is harder to set up.
I also miss the possibility to give slightly fuzzed/offset values for certain things, like GPS granularity (Do you need to know my exact location, or just my country?) There's however an eternal struggle between the API devs wanting to make the permission system simpler, and the APP devs wanting it smarter and more refined.
> "as CM and google got more in bed that feature vanished for a while."
Is there any evidence for that? My impression (from following blogs, G+, Gerrit, etc) was that CM simply couldn't keep up with adapting their features to new Android versions for a while, and the only reason the CM11 branch is reasonably stable is because KitKat has been out a full year.
If the app is not willing to function when being denied SMS access it should simply not be allowed on the app store. I have yet to meet an app on my iPhone that shuts down unrelated function because I denied it access to my calendar, SMS or phonebook.
I think "fake it" is a fabulous option, but I'd like a "tell the app it's denied" option as well. The latter would let honest developers provide a better experience. Also maybe an "ask me each time" option.
The problem with faking the data is that users are likely to pick that option, forget that they did and then when the app fails in some way they will give it a 1* review.
I would rather have fields where the app developer can justify why they need each permission.
The current problem cases are those where either the app developer can't justify it (flashlight app example in the original article) or is ready to write up actively misleading justifications (purpose-created apps with malware).
Your proposal would help only in combination where after seeing the justification, users can still choose to fake the data anyway. And if the justification isn't obviously acceptable, then a 1* review is a feature, not a problem.
Wouldn't the justification in the case of the flashlight be that they need to mine the data to keep the app free, which would at least be honest. Though gutting misleading apps from the store would be difficult.
I'm concerned more with the problems an app with a legitimate use for the data might have when the user tries a certain feature and it doesn't work properly or worse causes a problem by doing some important operation with the junk data.
If the app doesn't have my consent to have the data, then any attempted use of this data is illegitimate. If I don't want a flashlight app to view my private data, then they don't have my consent no matter what bits the phone and OS sends the app.
That's the key point of system ownership - if the developer of the program wants it to do A, but the owner of the system wants their phone to do B, then doing A is a bug that needs to be worked around. Even if it was explicitly designed and implemented that way, from the viewpoint of the user this is an anti-feature; and the current system architecture that favors the will of the app developer over the will of the user is certainly feasible, but it explicitly means giving up control over the system. And that, IMHO, needs to be fixed.
It's similar to opt-out permissions for email marketing - if some company managed to get "permission" without meaningful consent, it doesn't give any permission and their actions are still immoral and, in some places, illegal. Or click-wrap agreements "signing away" basic consumer rights that (in some places) can't be signed away - again, formal "permission" doesn't imply real permission.
The issue is that an unsophisticated user is unlikely to understand the relationship between permissions required and functionality that can be provided, let alone recalling which permissions they gave to which applications months later. Leading to confusion about why an app doesn't work. The worst part is that junk data will cause the app to fail silently and misbehave in unexpected ways.
The business model now is that despite buying a device outright, you never really "own", it, it is always controlled by the vendor. It started with DVD players that you might have physically owned, but would refuse to e.g. skip over the ads on a DVD. This is just the next level. Your hardware and your OS are NOT on your side, haven't been for years.
The second half is simple but requires a change on the device side - if an application needs feature X, Y and Z, then the choices shouldn't be limited to grant access or not install the application, but there should be a third choice per each feature called "fake that access being granted".
If an app claims to need access to my SMS messages, then there are two reasonable options:
1. I want the app to read my SMS, as it does something that I want with them; so I enable that feature.
2. I don't want the app to read my SMS for whatever arbitrary reason that doesn't matter and doesn't need to be justified to anyone. If the app cooperates with the refusal, then it stops at that, but if the app wants to read my SMS against my will (and, say, tests this ability to enable some unrelated feature) then that's hostile behavior and all of my hardware and software should assist me in thwarting that hostile behavior - e.g. by simulating fake data to the app, by falsely claiming to have sent SMS / made a call, etc.
The other options (including the current scenario where my device cooperates with the app developer against me) aren't reasonable and should be eliminated.