This is part two in a two-part series about how permissions work. You can read the first, here.
So what do we can expect when we look at the permissions tab before downloading an app?
Every ad-supported app needs to know at least if you have access to the Internet and be able to reach there to fetch the ads. They usually ask also for your location, so announcers (Google’s AdMob is the most familiar) can enclose you in an area and therefore, offer you relevant ads. The more the ad fits you, the more chances are that you tap on it.
In fact, nearly all permissions are a logical need. Imagine an app that is an alarm clock. It’s reasonable that it needs to disable your keyguard. Otherwise, you’d have to unlock your phone before stopping the alarm. It’d also need to overwrite your settings to set the alarm and trigger the vibration, because that’s what alarms do. However, if that same app asked for your contact data, shouldn’t we ask why it demands that? A quick comparison with any other similar app will reveal that, unless otherwise specified, there’s no need for an alarm clock to know who your contacts are.
What about games? A game usually ask for your phone state so when a call is incoming, it can pause itself and let you attend the call. It would also need to know your network state, your phone data and have access to the Internet because this kind of stuff is what ad-companies ask for. It could also want to know where you are in order to improve the ad quality. Unless you wanted to lose your progress, game data has to be saved somewhere, usually in your SDcard. In addition, games usually ask for ‘wake lock’ permission to not turning your screen off in the middle of a game.
These were easy examples. Now imagine a standard ad-supported app to create ringtones. First, it’ll ask for the advertising triad of permissions. Moreover, that app will ask your permission for reading and writing your contact data so you can assign the new ringtone to whoever you choose; write over your settings to make those changes permanent and be able to overwrite your SD card to save your new ringtone anywhere. In addition, an app trending towards crashing will also ask to read the device log so it can send crash reports. Altogether, you can count eight permissions for a simple ringtone editor and, if you haven’t noticed, the right to copy all your contacts, send them God knows where before delete them all, along with all your SDcard content.
What ought we to do then? Should we disown Android and return to our dumbphones just because any apparently harmless app can hide a potential serial data killer? No, we shouldn’t. That was the worst-case scenario. Beyond the trusted big companies that develop wonderful apps that no one would ever question, a vast majority of Android developers are loyal and faithful to their users, and Google has always paid attention to malware and looks after its child and takes care of it, but we also have to do our part: be aware and don’t take unnecessary risks.
In a nutshell, the Androidverse is, in all honesty, fantastic in all respects. If we had to plead for something, it would be transparency. Google has to safeguard a balance between open-source and security, being the key to encouraging developers to explain what are they asking for and why. As far as we are concerned, we’ve translated the permissions tab for each app so they are understandable to everyone (an example, here)
Have a nice weekend and happy AndroidZoom safe discovery!