Thanks Dianne for your response. That's great to hear that there is ongoing work to allow energy resource management! That will be a big improvement.
You're right that adding functionality to enable/disable GPS for specific apps isn't necessarily a security discussion ( and I should probably post those suggestions on Android-discuss, along with similar ideas related to enhanced user control over system resources / permissions). However, how the Android platform manages application access to the location API is definitely a security issue. The existing solution, pretty much a blanket wavier notifying the user of specific permissions on app install, while a nice foundation for a secure application framework, it is not enough! The all-or-nothing / now-or-never approach is completely insufficient. Imagine if Mozilla's security policy was: "users should rely on website reputation to ensure safety against XSS attacks. If they are unsure about the site's credentials then they should disable javascript before continuing." Wouldn't that be ridiculous? Jonathan wrote: >There aren't enough security updates in the world to replace user >responsibility and competence...but I see your point. That's true, you can't replace user responsibility and competence, but you can't rely on it either! Moreover, the platform should at least _allow_ a user to be competent and responsible, for example by giving them enough control to monitor and control access. The Android platform should actively strive to protect user privacy and assure users that it isn't doing anything unexpected with the GPS capabilities. It should be clear when / which apps are polling GPS. I'm really quite surprised that there isn't more discussion around this topic of managing locational privacy. Frankly, it really ticks me off when people suggest just turning off GPS to temporarily disable location services. Not only is it pathetic that that is the only current solution, but I'm not looking for a workaround. I am interested in discussion working toward a practical solution to this shortcoming. If we want more people to adopt Android and all the awesome future LBS apps then we should make sure to provide a system that mitigates these concerns. I honestly wish that I had the time and familiarity with the source to be able to contribute a patch, but, well, I'm not. I'd rather spend my time contributing patches where I do have experience. However, I realize that contributing code is not the only way to contribute to an open source project, and so I am trying to do the next best thing by offering my feedback and discussing concerns. I am aware that Locale is working on a developer platform that allows Android applications to subscribe to its location services so that that only 1 app, Locale, needs to poll the GPS. I think this is a brilliant idea. It could provide the necessary layer of security that would enable managing which apps can see the location, with what frequency, and even with what precision. But in my opinion Android users should not be expected to install a 3rd party app to achieve this functionality, nor should the apps be required to subscribe to a 3rd party service. Something like this should be integrated into the Android platform itself. Anyway, I look forward to hear what y'all think. Sam On Dec 3, 3:34 pm, "Dianne Hackborn" <[EMAIL PROTECTED]> wrote: > Sure, it would be nice to be able to enable/disable GPS for specific apps > and see which ones are draining your battery, though I don't think this is > really a security discussion. We have some ongoing work to address knowing > who is using battery, but nothing planning at this point for per-app GPS > control. Patches are, of course, welcome. :) > > > > On Wed, Dec 3, 2008 at 11:19 AM, Sam Hiatt <[EMAIL PROTECTED]> wrote: > > > Thanks all for your feedback. > > > Just to clarify, yes, I know that the user has to grant specific > > permissions on application install, but that's not good enough at > > all! Just saying that at some point the app might need to turn on GPS > > and/or access the network is a good initial precaution, but my point > > is that you can't stop there. > > > Currently if a user wants to ensure that app X isn't the one > > incessantly polling GPS (and draining out the battery) then his only > > choice is to either turn off location services completely, for all > > apps, or uninstall app X? Really, that's just pathetic. > > > I think it is a severe shortcoming that Android won't let me > > temporarily deny GPS permissions to one app, leaving all other apps > > unaffected. The user should be able to see all apps that have > > locations privileges and "uncheck" the ones that he's not currently > > using. > > > Additionally, at any point in time the user should be able to look and > > see which apps are actively using location services. This could be as > > simple as making the GPS icon in the notification bar "clickable", so > > that when the user notices it is on he/she can pull down the > > notification bar, tap the GPS icon and see which app is using it. This > > would also be an excellent place to notify the user with a simple icon > > that the specific app also has network permissions especially if it is > > actively uploading information. > > > Does that make sense? Do you all agree? > > > Sam > > -- > Dianne Hackborn > Android framework engineer > [EMAIL PROTECTED] > > Note: please don't send private questions to me, as I don't have time to > provide private support. All such questions should be posted on public > forums, where I and others can see and answer them.
