Related to Chris's sentiments regarding user and developer awareness of requested permissions, I've noticed (from a user's perspective) that turning on auto-updates for applications is very useful to detect when an application changes it's uses-permissions.
Normally, I just get an "update successful" message in the notification bar, but when the permissions change, I'm informed "there's an update", and when I go to the Market app, it says "manual update". Hrm ... As someone who researches Android security, I know that the manual update is a result of a permission change, so I take note of the permissions, and then I go back to Android's application manager to see what the old permissions were. For example, Shazam recently added location permissions. However, that's a lot of work a lay-user. I'm not an HCI expert, but it would be useful (at least for me) for the Market app to inform the user of *why* the manual update was required, e.g., display the list of added and deleted uses-permissions. This may (or may not) raise end-user awareness and cause them to put more pressure on application developers. Just a thought. Thanks, -Will On Jul 27, 2010, at 5:38 PM, Chris Palmer wrote: > On Tue, Jul 27, 2010 at 2:25 PM, sharedwd <[email protected]> wrote: > >> Well, then I guess the Market is pretty much useless if users want any >> kind of privacy. Every app out there wants every permission available >> it seems. If I didn't install an app I wanted because it requires >> permissions to private info, that pretty much means don't install ANY >> apps from the Market. And that includes Google Maps, Twitter, and >> everything else. > > Keep it in perspective: All Mac OS X/Linux/Windows apps can access all > your information all the time. Therefore, although Android offers > "only" coarse-grained control over what an app can access, that is > still a vast improvement over the status quo. > > Second of all, Android can only provide the mechanism for privilege > limitation and data sharing; it is up to developers to use those > mechanisms well. As you report, many developers are not currently > using them well. As users, we can pressure developers to justify > and/or reduce the privilege their apps use. > > Just recently, I found three roughly-equivalent apps to perform a > function I wanted. They each required different permissions; I > installed the one that requires least privilege and emailed the > developer of the other two about why I made my choice. The developer > provided a semi-decent explanation for their use of many privileges, > but he understood my point of view also. > > Anyway, Android-the-platform provides very good privilege-limitation > mechanisms. Raising developer awareness is a separate (important) > task. > -- William Enck PhD Candidate Department of Computer Science and Engineering The Pennsylvania State University [email protected]
