I agree that this "report" is mostly scaremongering, but I do think there are some valid issues here. Asking users to approve permissions isn't really a very good solution. Nearly every program asks for at least a few permissions, so users quickly get trained to just click "Install" without really understanding what they're agreeing to. And if a program wants to do something malicious, like sending thousands of SMS messages, it will just pretend to be something that has a plausible reason for needing that permission.
I'd like to see more permissions handled implicitly through user actions at runtime. Java Web Start uses this technique a lot. For example, it's fine for a program to send an SMS message as long as it's done through a standard UI that displays the message and requires the user to click the "Send" button. That shouldn't require any special permissions, and it also should be enough to meet the needs of most programs. Permission would only be required to send SMS without using the standard UI, and that would be an uncommon thing to ask for. That way, it would actually get people's attention if a program asked for that permission. No security model can stop all malware, and I think Android does a lot better than most OS's, but there's room for improvement. Having a program ask you for special permissions should be the exception, not the rule. And when it does ask for a special permission, your first instinct should be to say no. Otherwise, asking users to approve permissions is just a hassle that adds little benefit. Peter -- You received this message because you are subscribed to the Google Groups "Android Discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en.
