Cyanogenmod Puts Users in Control of Permissions

An anonymous reader writes "Cyanogenmod is soon to have a better permissions systems, allowing its users to deny certain permissions to the applications they install. Users are warned that enabling this feature on the nightly build may cause applications to crash or 'force close', but a new dialog allows them to easily return the permissions to stock if they wish. Hopefully Google implements a system similar to this very soon." This is the biggest feature I've missed from Symbian — it never made sense to me why the permissions system didn't put the user in control from the first release.

Not gonna happen in stock Android

[Anonymous Coward]

This feature will never come to stock Android. Google makes their money from Android by delivering ads, which is what pays for all those free apps. If I could download a free app and block it's ability to connect to the internet, I instantly block the ads. You can like it or hate it, but the fact is this ability would cripple the entire current Android ecosystem.

Re:

[SharpFang]

There is still option of Google separating "obtain targetted display ads" permission from "Full network control"+"Phone location". Making the "ads" permission unblockable.

I really am not happy that an app which does require access to my local filesystem can simultaneously send its entire content to a remote server and let the author track my location - when all I consent for is to display ads relevant to my city.

Re:

[mounthood]

There is still option of Google separating "obtain targetted display ads" permission from "Full network control"+"Phone location". Making the "ads" permission unblockable.

Or let people block the "Ads" permission, and the apps can react however's appropriate.

Re:Not gonna happen in stock Android

[PReDiToR]

You mean like installing Droidwall [appbrain.com] does?

It's in the market and on XDA-Devs.

If you root you can use AdFree [appbrain.com] too.

Oops

[PReDiToR]

Yeah, my bad.

Droidwall requires root too.

In case people are filtering ACs.

Re:

[c.r.o.c.o]

Ad free is stealing from developers... If I met the people who wrote ad free, I'd probably beat them down with baseball bats.

Adfree actually does not work on my HTC Desire because it's not S-OFF. But I found a very nice workaround. I created a signed package with a custom hosts file (taken from Adfree sources) that I flash after every Cyanogen update.

It creates an extra step when flashing, but the bonus is that it works every single time, and there's NOTHING any application can do to circumvent it because

Re:

[poetmatt]

That's not crippling the android ecosystem, that's a benefit and adds value to the system as a whole. All these developers who act like they magically never existed before they made ad-supported apps can shove it and go back to the reality of : ads were never welcome, and developers can live without ad revenue.

Re:

[s73v3r]

That will only happen if you accept that most of the currently free apps will then go to being paid apps. Ads were seen as a compromise between helping the developer generate revenue so they could eat, and having to pay for apps. Removing that ability means that we're gonna go back to horribly crippled free versions, and expensive paid for versions.

Re:

[poetmatt]

we still have horribly crippled free versions. have you looked at what apps are today? It's not just "we made the free version the same as the paid cept you have ads".

When did you think that wouldn't happen? Do you think developers are actually altruistic or something?

Re:

[Eil]

This feature will never come to stock Android. Google makes their money from Android by delivering ads, which is what pays for all those free apps. If I could download a free app and block it's ability to connect to the internet, I instantly block the ads. You can like it or hate it, but the fact is this ability would cripple the entire current Android ecosystem.

I would almost believe your story, if it weren't for the fact that over the last 10 years or so I've been running a full-fledged desktop PC with th

Re:

[drb226]

But if the app depends on the 'net for it's functionality then the user won't block its internet access. Yay, DLC?

Re:

[mrchaotica]

I'm an ecologist, you insensitive clod!

Context: Android

[Chris Pimlott]

I had no idea what this was about until I read the tags. Context please, editors! Thanks, taggers.

Re:

[Azmodan]

There is also a "little green robot" next to the news to indicate that this is an Android related story. Hovering it says "Android".

Re:

[mdm-adph]

Yes, but there was no icon to indicate that this was a "story." Without the tags, most users would probably have been cast adrift.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Facebook Apps

[wisnoskij]

They need this feature for Facebook Apps.

Re:

[drb226]

No one tech-savvy enough to use such a feature even uses Facebook Apps anymore.

Awesome!

[Daetrin]

That would seriously tempt me to try out Cyanogen if Google doesn't implement something like it in the near future, even though i've already got an unlocked Nexus. There are a number of otherwise great apps that i haven't updated in months because they decided to add Facebook integration, so "of course" they need access to my account details now. Sorry, not gonna happen.

Re:

[jittles]

I switched to Cyanogenmod for Gingerbread and I haven't looked back since. I love it. I am thrilled about this feature and am now downloading the nightly as we speak! I am very excited.

Re:

[Lunix Nutcase]

And when you block that the app is just going to crash. Have fun when most of those apps no longer work.

Re:

[icebraining]

most

Citation needed.

Sure, some will; for those the user has the option of running them with the default permissions or uninstalling. Whether they're "most" or just a small number remains to be seen.

Re:

[h4rr4r]

Depends on what you block. If you block network, how does the app know that you just don't have a network connection right now?

I use my phone without data when I go to Canada. No way am I paying verizon $30 for 75MB.

Re:

[gtbritishskull]

Blocking an app's ability to use Facebook integration would probably behave in one of two ways. Either it would act as if you are not signed into a Facebook account on your phone, or that you don't have the Facebook app installed. If either of these cause an app that didn't previously have Facebook integration to crash, then you are talking about some pretty shitty coders.

Symbian went too far

[pmontra]

Foreword: I've got an old Nokia N70 so things might have changed a lot in Symbian.

A very annoying feature of its permission management system is that it is too fine grained and it doesn't remember user decisions across different executions of the same app. It asks me allow/deny every time I open a file or folder (imagine traversing a 4 folders hierarchy, the SD card counts as one) and that's bad enough. Forgetting my answers when I close the app is even worse. Sometimes I leave the phone on in airplane mode at night not to have to go through all those dialogs.

Android seems to have taken the opposite road. Maybe this mod implements a better middle ground.

Re:

[CharlyFoxtrot]

Sometimes I leave the phone on in airplane mode at night not to have to go through all those dialogs.

You are coming to a sad realization. [C]ancel or [A]llow [youtube.com] ?

Re:

[icebraining]

The same happens with my oldish E65. Having to allow Opera Mini to access the 'net every time I run it is definitively annoying.

Dancing Bunny / Dancing Pigs Problem

[tlhIngan]

Sure this is a great addition... for power users who are infallible.

But for Joe Average and power users who fall prey to it (who doesn't?), it doesn't address the primary issue - called the Dancing Bunnies [codinghorror.com] or Dancing Pigs [wikipedia.org] problem. And it's a problem with every OS today - Linux, Windows MacOS X, Android, iOS, and others.

A user will run through many hoops to get what they want. They'll root, jailbreak, install alternative app stores, etc just to save 99 cents for an app. Even if they have to do seemingly complex tasks like install an SSH server, run SSH, type command line commands, etc. It can be amazing how much technical skill the untalented suddenly have.

And the problem is, these are the people that get pwned. Jailbroken iPhones with default SSH passwords. Android phones with botnets installed (courtesy alternate marketplaces), Windows/OS X trojans running botnets, etc. Heck, even Bender skipped his antivirus check for pr0n.

And it's a really difficult problem to solve. Even if these options were global and set reasonably, you can anticipate some app telling you it works better if you do these things to let it get the permissions it wants.

Hell, see the latest Facebook spamming trends [msdn.com], where people are doing things like copying-and-pasting URLs or godawful long javascript blobs. We're at the point where really, the Honor System virus does exist.

Re:

[bemymonkey]

Waaaat?

I think you've misunderstood - this feature does not allow you to enable permissions that were previously unavailable for apps - it only allows you to DISABLE permissions that you feel are unneeded by the app. There is no possibility for the user to self-pwn himself, only to protect himself...

I'm thinking the issue may be what they listed...

[rrossman2]

If google were to implement this, how many apps *would* break because of an error on the permissions?

Maybe I'm off base on this, but if I am please correct me... It's like if Linux didn't have file system permissions the way it does now.. let's say you could write anywhere without any restrictions, and then suddenly there's an update that locked down the file system with permissions the way they are currently. Since the existing applications would try to write to where ever they would normally write, they'd

Re:

[Zebedeu]

I have an app on the market. Usually I have no problems supporting users on custom roms, since my app uses the standard Android libs wherever possible.

However, a few days ago I had a user complain that a new update started crashing on his device. Upon further inspection it turned out that his Android 2.2 custom rom was declaring itself as Android 2.3, and my app was crashing when it tried to call a method which was introduced in 2.3.

This to me is what's scariest about these custom roms. They can turn into s

Re:So That's What Slashdot Is Today

[paziek]

Yea, it shows what is app asking for, but doesn't let you to choose what to actually give. Now its either all or nothing, but Cyanogenmod lets you to fine-tune permissions for app, so for example that notepad app won't be getting access to your contacts or internet anymore.

Re:

[Mushdot]

It would be nice if the control was a lot more fine grained within each access type e.g. Do you want to allow the app internet access to a specific URL (for example for high scores) and block any other internet access.

It unnerves me a little to see most apps requesting access to your contacts, internet etc without a more detailed explanation why.

Re:

[L4t3r4lu5]

I don't install apps which ask for permission to anything I don't see it requiring access to. I only install apps which require Internet Access as they are ad-supported, and that is a condition of using the app for free.

There are many apps which I have "missed out" on using because of this policy, but I'll be honest here; I don't feel like I've missed anything at all.

This fine-grained control is seriously making me consider voiding my warranty, though.

Sounds pretty airtight to me.

[exploder]

Because it would be impossible for a malicious app to access anything else through its own "high-score" URL, right?. Or maybe I'm misunderstanding what you have in mind with this?

Re:

[fuzzyfuzzyfungus]

It would be nice if the control was a lot more fine grained within each access type e.g. Do you want to allow the app internet access to a specific URL (for example for high scores) and block any other internet access.

It unnerves me a little to see most apps requesting access to your contacts, internet etc without a more detailed explanation why.

I'd like to see the possibilities go one better: Lying.

Imagine a sort of "chroot" for application data: a contained environment, controlled by the actual root environment, in which exists a set of files sufficiently complete to allow the enclosed process(es) to do their thing as though they were the rulers of all they survey; but without actually giving them that power. When creating a chroot, you can either populate it with a relatively complete clone of the real root, or a specially crafted one for a s

Re:

[c.r.o.c.o]

How could an app developer program around this fine-grained control? Even if he could make sure tha the program failed gracefully when certain permissions were changed, key functions in his app could no longer work. How could that not result in an awful user experience? His app would get awful reviews ("sh!t doesn't work!") and he would lose sales.

First, I run Cyanogen, but not one of the latest nightly builds. I may give it a try later today and report how well it works.

Sometimes there is no way to avoid b

The needle moves from F to E, but what is E?

[tepples]

because they do not know widgets need to be added to the screen, not opened from the app drawer.

There are ways to work around such cases of ID-ten-tango. In this case, create a main screen that shows the widget and a button to show an explanation of how to add it to the home screen. That way, people who want to use it as a full-screen app can, and people who want to use it as a widget can learn how to do so.

And as far as I can tell, it's exclusively to collect as much detailed data about the users so it can be resold to advertisers.

Would you rather all applications be paid and therefore inaccessible to 1. people using devices without Android Market (such as AOSP Android tablets) and 2. people outside those few countries where

Re:

[h4rr4r]

Would you rather all applications be paid and therefore inaccessible to 1. people using devices without Android Market (such as AOSP Android tablets) and 2. people outside those few countries where Android Market offers paid applications?

Holy non-sequitur Batman! Lots of free stuff does not rely on tracking you for adds. Some of it does not even have adds. Busybox does not seem to do that, nor does the linux kernel.

I don't know about Asia, but gasoline gauges are calibrated differently in cars for the Unite

Those aren't Android apps

[tepples]

Holy non-sequitur Batman! Lots of free stuff does not rely on tracking you for adds. Some of it does not even have adds. Busybox does not seem to do that, nor does the linux kernel.

But is either BusyBox or Linux primarily designed to be used as an application within the Android operating environment? There are a lot of applications that are either paid or ad-supported on all platforms where they exist. Many of these include single-player games with original scenarios, a class of application for which I haven't yet seen an effective business model that doesn't involve ads or payment. Angry Birds for Android, for example, has both paid and ad-supported versions on Amazon Appstore.

You can either check language

This w

Re:

[h4rr4r]

I do use busybox on android, is that enough for you?
Angry birds indeed does operate that way. It could also just be like angry birds RIO which the whole game is an add. Lots of options.

Looking at languages on my phone now, English(Canada), English(India), English(New Zealand), English(South Africa), English(United Kingdom), English(United States) all exist. I would assume we can safely say Australia and New Zealand are the same damn thing. Languages spoken in different countries even though they claim to be

Re:

[tepples]

I do use busybox on android, is that enough for you?

That's the kind of app that's already popular on another platform and which has very few user interface controls to rewrite for another platform. So most of the development work is a mere recompile of the application's logic along with spot-checking to make sure all functionality works as the existing manual states. Now try porting BusyBox to Windows Phone 7, which even uses a different programming language (C#) that fits its managed execution model. Or try porting BusyBox to Android without using the NDK.

Angry birds indeed does operate that way.

T

Re:

[h4rr4r]

RIO is ad-free and free. Because it is one big ad, for that movie. That seems a like one way to pay for it. Honestly I just don't care how they pay for it, not my problem. If it reduces my choices, I will just stick to SCUMMVM games.

ScummVM games are paid

[tepples]

I will just stick to SCUMMVM games.

As I understand it, most ScummVM games are paid. Without a copy of Maniac Mansion for MS-DOS or Atari ST, for example, you can't play Maniac Mansion in ScummVM. Most copies of Maniac Mansion that I see on eBay are the censored version for the NES. Maniac Mansion for NES almost works in ScummVM if you skip the cut scenes, but you'll need a front-loading NES console with a soldered-in CopyNES board to copy the cartridge to your PC.

Re:

[h4rr4r]

I have the 2 first monkey islands on floppies, then again in a lucas arts collection with dig and full throttle on CDs. I also have the third one on CD. No need to build any crazy adapters or anything.

Re:

[h4rr4r]

http://www.amazon.com/Maniac-Mansion/dp/B00066X8J8 [amazon.com]
$50 no crazy adapter needed either.

Sources of overhead in phone app development

[tepples]

I can get shitloads of free software (free, not ad-supported) on Windows, Mac or Linux, but these same kinds of applications are begging for money when people write them for phones.

With a PC, all required hardware and software are likely paid for. But with a phone, all these cost extra money:

• Buy a device on which to test. Relying on emulators for performance measurement is poor practice: in many cases, the emulator is fast where the device is slow and vice versa.
• Pay the carrier's early termination fee because you don't want another phone line and no stores in your area carry unlocked phones.
• Buy the tools to port the application to a device: an annual certificate on iOS or Windows Ph

Re:

[base3]

Right -- it's the same reason that programs that were free for DOS/Windows were $25 crippleware for (pre OS X) Macs. The toolchain was expensive and the market much smaller.

Anything cheaper than Nexus S?

[tepples]

Buy a device on which to test

Practically everybody that is going to be writing mobile applications is going to have a cell phone.

My current cell phone is an Audiovox 8610 [about.com] from Virgin Mobile USA, which doesn't run Android, and the phone you recommended (Nexus S) costs $549.99. Can you recommend anything cheaper? Virgin Mobile USA carries the Samsung Intercept and LG Optimus V; are those any good?

Re:

[c.r.o.c.o]

Would you rather all applications be paid and therefore inaccessible to 1. people using devices without Android Market (such as AOSP Android tablets) and 2. people outside those few countries where Android Market offers paid applications?

That's not what I mean and you know it. There are plenty of apps on the Market that are supported by ads alone. So they usually have very simple permission requirements. As a fictitious example, a notepad may need to write on the SD card to save files and a network connecti

Local ads

[tepples]

As a fictitious example, a notepad may need to write on the SD card to save files and a network connection to pull ads. It should NOT need to read my GPS or network location

It would need your coarse location to know which ads to show, so that it doesn't show ads for a barber shop in Fort Worth, Texas, to residents of Fort Wayne, Indiana.

1 volt is the same all over the world

Users expect some sort of translation between voltages and "full" or "empty". Case in point: I have never seen a car whose dashboard displays remaining gasoline in litres or gallons.

Re:

[TheCRAIGGERS]

Please just stop with the gasoline / car analogy. It doesn't work in this case, and you playing devil's advocate is not advancing this conversation.

A battery meter does not need to know your location in order to tell you your phone's battery level, end of story.

If you have an app that reads your car's gas gauge and needs to know what units / whatever to display in, you simply ask the damn user where they are at, or simply ask what units they wish to see the data in. There is no need to overengineer the si

I concede

[tepples]

Please just stop with the gasoline / car analogy.

I concede. However, the question remains about offering haircuts in Portland, Oregon, to users in Portland, Maine.

Re:

[c.r.o.c.o]

Be aware that the latest nightlies for certain brands and models of handsets might be buggy as hell.

For instance I have an HTC Desire BravoC and the latest nightly build of CM7+ I can run without serious problems is number 72 (May 14th), even though they're up to #85 today.

For this particular handset, #72 is truly golden :-D My battery life has easily doubled with this build.

I have the same phone as you, and you're right that the latest builds have been buggy. I just flashed build 88 to test out the new fea

Re:

[tepples]

How could an app developer program around this fine-grained control? Even if he could make sure tha the program failed gracefully when certain permissions were changed, key functions in his app could no longer work.

// This is pseudocode.
try {
doSomethingRequiringPrivileges();
} catch (SecurityException e) {
alert(appName + " cannot retrieve updated listings because the privilege to connect to the Internet was declined at install time.");
}

Re:

[h4rr4r]

So then your app never works when you have no internet access? Because the app is not going to know if it was bocked or there just is no access available. You are not going to get a security exception, just no internet access.

Display cached ads for a week

[tepples]

So then your app never works when you have no internet access?

Do you mean on a device that has never had Internet access even once? You need Internet access to download from Android Market or Amazon Appstore in the first place. Or do you mean on a device that has only intermittent Internet access? Some of these ad-supported programs have as their express purpose to interact with a service on the Internet. How well does, say, the official eBay app or the official Twitter app work without Internet access? Others, such as an e-mail client, can work offline, but the data

Re:

[h4rr4r]

Fine so then you cache adds great, but that is not what most people want to block. What they really want is to give the advertisers a fake phone number, a fake location, a contacts list that only includes Ben Dover and Harry Baals, and a sampling of SMS messages that include nothing but rude phrases about advertisers.

Ads are not the problem, the issue is the amount of information the advertisers want before they serve them.

Local service businesses

[tepples]

a fake phone number

The problem here is that the "phone state and identity" privilege is too broad. I've read [androidforums.com] that an application that plays audio needs to know that a call is coming in in order to know when to pause playback. And for those applications without a name and password, what unique user identifier do you recommend other than the device's serial number, which the same privilege appears to cover?

a contacts list that only includes Ben Dover and Harry Baals

At least Harry Baals would be correct for my region.

Ads are not the problem, the issue is the amount of information the advertisers want before they serve them.

Say a barber operates in Fort Wayne, Indiana. Haircuts can't be given o

Re:

[h4rr4r]

Sure it is pretty broad, so give them only some fake information.

The barber might sadly find himself advertising to people no where near him, that is what you get for trusting user input. If you have Internet access try using that for geolocation.

Re:

[green1]

And for those applications without a name and password, what unique user identifier do you recommend other than the device's serial number

Why on earth would I want advertisers or app makers to have ANY unique identifier on me other than one I make up and give to them for reasons of high scores or online features? Any possible legitimate use of a unique identifier would fail if you used the device serial number because it would prevent you from changing devices. The only remaining reasons for a unique identifier are underhanded tricks used to get far more information about me than I want you to have, or than you have any reason to have.

Say a barber operates in Fort Wayne, Indiana. Haircuts can't be given over mail, phone, or Internet, so the barber only wants to show his message to possible customers in the Fort Wayne area. That's why sponsors want coarse location. And an advertiser wants to know how many unique viewers saw the message and how many impressions per viewer, hence "phone state and identity".

So expl

Re:

[tepples]

Why on earth would I want advertisers or app makers to have ANY unique identifier on me other than one I make up and give to them for reasons of high scores or online features?

Because entering a password every time you want to play is more tedious on a cell phone keyboard than on a laptop keyboard. I don't know; I haven't programmed an Android application yet.

So explain why so many applications ask for fine (GPS) location to display ads?

My Android device is an Archos 43, which doesn't have a cellular radio or a GPS, so I wouldn't know.

Advertisers WANT the world, that doesn't mean we're willing to give it to them.

You can refrain from giving it to them. You can refrain from using ad-supported applications. You can refrain from using applications at all in countries that don't support payment.

I can't think of a single person or organization on the entire planet that I want to give full and free access to that information without my explicit choosing.

You explicitly choose to choose ad-supported

Re:

[green1]

Why on earth would I want advertisers or app makers to have ANY unique identifier on me other than one I make up and give to them for reasons of high scores or online features?

Because entering a password every time you want to play is more tedious on a cell phone keyboard than on a laptop keyboard.

Then remember it the first time I type it.
If you use the device id, then I can't get a new phone and still log in to the account. wrong solution.
There is NO legitimate reason to use the unique device ID. If I want you to identify me, I'll give you a way to do so, if I don't then tough luck.

Advertisers WANT the world, that doesn't mean we're willing to give it to them.

You can refrain from giving it to them. You can refrain from using ad-supported applications. You can refrain from using applications at all in countries that don't support payment.

Or, I can realize that I own the device, and they don't. and I can then go and do whatever I want with the device that I bought and paid for and using the software that I have legally obtained. If that includes something

Re:

[datapharmer]

check for update. If update check returns a value, check internet: if no internet give privileges message. Otherwise sleep.

Re:

[tepples]

App Developers should write their apps to use the smallest possible amount of permissions to provide the user experience needed

However, a user experience that does not include the end user paying real money to the developer often must include display of messages from sponsors. This in turn involves phoning home to see which companies have sponsored use of the application by users in your geographic area. Therefore, coarse location and Internet access are a given in a lot of free applications.

Re:

[datapharmer]

Fine. Tell the user why the permissions are needed. Do a get for the author's website, if it doesn't come back with a 200 ok in x number of days then don't let the app run or restrict it with a timer.

Re:

[GIL_Dude]

Most notepad apps sync to cloud servers. So they would still require "internet" access, which means the ads would not be gone. The biggest problem with being able to remove permissions is that people will use that to try to get rid of in app advertising. That in turn may cripple app functionality. Not a problem for technical users, but for normal users that is not a good experience. For developers, it means less revenue. For these reasons it is doubtful that Google would adopt this model of "you asked for x

Re:

[Riceballsan]

All you need is a simple "warning this app may not function correctly if you deny these rights, if the app does not work you will need to either add these rights or remove the app"

Re:

[CharlyFoxtrot]

Sounds like a good way to break apps. The tacit assumption here is that apps are asking for more permissions than they need. This seems pretty paranoid, why not just use the app as the author intended or else find some other app that conforms more to your expectations ?

Re:

[0racle]

I went looking for a better battery display then I had on my CM7'd nook. Every one I looked at requested at least full network access and many had that and local storage access. There is a difference between paranoid and realizing that to do a job a battery widget does not need to talk to the outside world.

Evidence points to Android developers acting like poor Windows developers, expecting and asking for full permissions always instead of doing the right thing and asking for the absolute least amount of pr

Re:

[oakgrove]

I'm not sure what all your battery display does but a good reason to ask for storage access is so you can persist a log/settings in case the user uninstalls/reinstalls the application. Without sdcard write access, all of your files have to be written to the /data/data/youapphere directory and if the user uninstalls your app, those files are gone. If they are on the sdcard and the user decides later to reinstall your program, it can just pick right up where it left off. The same thing happens on Linux OSX

Re:

[npsimons]

On my N900, BatteryGraph [jeroenwitteman.com] keeps an SQLite database for charting past performance.

Re:

[tepples]

why not just use the app as the author intended or else find some other app that conforms more to your expectations ?

In a lot of cases, the developer of the application has a monopoly on a particular interaction, through either an existing business relationship, a copyright, a patent, or a trademark. For example, are users expected to change banks if a given bank's online banking application for Android has such problems? Are users expected to become fans of a different sport if a given sport league's application for Android has problems?

Re:

[CharlyFoxtrot]

You could argue that if there's a problem of trust between you and an organization you shouldn't be running any code from them at all. And these kind of controls might actually stimulate such an organization to ask for the broadest possible permissions figuring power users will tune them down themselves and they can still profit from the ignorant and the lazy.

Re:

[Sloppy]

why not use the app as the author intended or else find some other app that conforms more to your expectations ?

Those are two options, and sometimes, selecting one of them is the best thing to do. And other times, a third option (using the app as the author didn't intend) is the best thing to do.

A good computer will recognize that sometimes the owner's interests conflict with

1. other parties' interests
2. random fate

and will always take the owner's side in this conflict.

Re:

[Dr_Barnowl]

The reason it's this way around is because you can automatically audit which parts of the API the application calls, and thus which permissions it requires to perform all it's functions.

What you can't audit is how the application will respond to having permissions denied - the application may well crash, because it will be receiving "permission denied" exceptions that it was not previously expecting to receive. Since the only way to check this is to have someone look through the code, it's not suitable for

Re:Seriously, that was the stupidest thing Google

[CharlyFoxtrot]

Sounds like a headache for developers: "these are the permissions you can ask for, but it's not sure they'll actually be granted." Then you'd have to build in checks absolutely everywhere because you can't rely on anything. Sounds more like a compromise position than anything malicious to me.

Re:

[maxume]

Or just check at startup and refuse to work at all if the permissions that the developer deems necessary are not available. I imagine that would be a common method of dealing with it, with things eventually reaching the point where developers bothered to ask for minimal permissions and requested that Google create new permissions where users were reluctant to grant broad rights to an app (the latter would happen less, most users aren't going to bother fiddling so much).

Google could avoid a lot of headaches

Re:

[Dr. Manhattan]

Set up an API that lets apps query what permissions they actually have. They can set up fallbacks (including "screw you, I'm taking my marbles and going home!") if they choose, right as they're initializing.

Re:

[Dr. Manhattan]

GP was stating that programmers would never handle all the possible permutations of missing permissions, and he's right IMO. Look no further than Windows where 99.9% of applications completely ignore all error codes for WinAPI calls.

So... developers are bad coders, and therefore we should give them free reign over our privacy?

Re:

[KlaymenDK]

There are so many types of Android devices out there, developers have to factor in hardware variance anyway -- and the OS helps with that. There's no reason the same could not be done for permissions. In most cases, it wouldn't be anything a try/catch couldn't handle.

Of course, this would not mean that end users would have a new Big Stick to wave around, developers could easily pick up one of their own -- developers are free to respond to a denied permission by saying "sorry, no ads for me, no game for you"

Re:

[h4rr4r]

You should be checking basically everything, ever hear of try and catch?

What would you do if the device just did not have a network connection? Or if it was a new phone and had an empty address book, or no emails yet?

Re:

[Timmmm]

A much better approach is MockDroid, which just fakes the results of operations for which you have been denied permission.

It works with existing apps and doesn't crash them.

Re:Seriously, that was the stupidest thing Google

[h4rr4r]

That is what this does. You ask for contacts, you get an empty contacts. You try to use network and sadly there is just is no network connection at all now.

Re:

[npsimons]

Sounds like a headache for developers: "these are the permissions you can ask for, but it's not sure they'll actually be granted." Then you'd have to build in checks absolutely everywhere because you can't rely on anything.

If a developers aren't checking to make sure argc is greater than zero and argv[0] isn't NULL, they shouldn't be shipping production code. "Checking absolutely everywhere" should be standard programming practice, because the one time something isn't checked is the one time it will fail.

Re:

[CharlyFoxtrot]

This is completely different. It'd be more like having to check libc is installed every time a program is executed.

Re:

[Xugumad]

There's a point where it becomes absurd. I don't riddle my code with:

assert 2 + 2 = 4;

because it would be silly to check that the processor is still adding correctly, it's a fundamental assumption. In the same way, I don't think it's unfair to expect that if my app indicates it needs location access, that it can get it. I'm happy that I _need_ to check if location is enabled currently, and handle that the location service may be Wifi or GPS or something else based, but checking things the API told me were t

Re:

[koolfy]

2+2 = 4 is an "internal" operation. It should obviously not fail.

"I need the GPS to give me a location" is a call to an external component (much like accessing internet, opening a file, user input), and failing in this external component, or lack of response should be handled.

Never trust external input.

Re:

[Xugumad]

Ah... I should explain a little further. When my app asks for location data, it hands over a listener for that data. If the GPS is unavailable, that listener is never called.

If my app asks for location data and does not have permission, then an exception is thrown as if my application is requesting access to something its manifest does not describe it as needing. That's a fairly major difference...

Re:

[h4rr4r]

In this case that is not what happens. It instead gives you a fake GPS location. At least that is the end goal. Your app can't tell if this location is real or not.

Re:

[Xugumad]

I once accidentally mangled the GPS location in my app and relocated to a couple of kilometers off the cost of Somalia...

Re:

[ChrisMP1]

Would you mind drawing the line between "internal" and "external"?

Sure. Does it result in a system call?

Re:

[h4rr4r]

So what does your app do when the phone is indoors and does not have wifi access?

At work, unless I turn the wifi on I have no valid location data. I still expect mapping software to let me move the map around myself.

Re:

[Xugumad]

We're using it to determine distance to a range of locations, so nearest can be presented to the user. The options are presented without distance information, and if no distance is available that simply doesn't change.

Re:

[Captain Spam]

So what does your app do when the phone is indoors and does not have wifi access?

At work, unless I turn the wifi on I have no valid location data. I still expect mapping software to let me move the map around myself.

If your app is indoors and has no wifi access, LocationManager won't give you any updates. Plain and simple. But LocationManager is still accessible, you can still make calls to it, you can still get the previous known location (for whatever good it is), and you can still register for updates for when you DO get a signal back. It may be never, but LocationManager is still accessible.

If the permission hasn't even been granted, you get fatal exceptions thrown back at you because, as it says in the Android

Re:

[h4rr4r]

In this case you get the appearance of the former case not the latter. It may well just give you a predefined fake location. Removing permissions surely would cause that issue, but the article indicates it fakes at least some of this data.

Re:

[Dr. Manhattan]

If the permission hasn't even been granted, you get fatal exceptions thrown back at you because, as it says in the Android API, it's expected that A) the developer request permissions in the manifest (which are presented to the user at install time) before using calls that demand them, B) the user accepted these permissions when installing the app, and C) the system won't arbitrarily pull permissions out from under the developer at runtime.

Of course... what I was explicitly suggesting was not making promis

Re:

[icebraining]

This is a feature to give apps less permissions. By default they have all they ask for. How does that make the system less secure for novice users?

Re:

[nitehawk214]

Enough stories about CM lately? I think we need more.

Only if we can support CM with Bitcoins.