I would say it makes progress in two ways - it allows me to say "I don't
want to permit this" and make it stick, and it allows the developer to
codify that negotiation/trust level by saying "I am an ad-supported app and
you must allow this to work" verses "This is an optional feature and not
enabling it is fine."
It also solves policy issues like "An app cannot have both my personally
valuable info and internet access" (whatever that info is to me as an
end-user, whether it is phone number or location or sd card access..)
Look at locale (and derivatives) and imagine what they could do if they
could say "When {foo} is true, forbid permission {bar}" (eg "when I am at
200 sq mile government work compound, forbid gps from all apps except Maps
so that I can find my assigned trailer"..)
On Wed, Jan 26, 2011 at 2:26 PM, Yuliy Pisetsky <[email protected]>wrote:
> On Wed, Jan 26, 2011 at 12:28 PM, Chris Stratton <[email protected]>
> wrote:
> > On Jan 26, 12:30 pm, Jean-Baptiste Queru <[email protected]> wrote:
> >> Any such mechanism must include the ability for a developer to say
> >> that a permission their app is requesting is mandatory and can't be
> >> disabled.
> >
> > No. The device belongs to the user, not to the developer.
> >
> > Denial of internet access need not necessarily be presented to the
> > application any differently than unavailability of internet access or
> > connectivity to the desired host.
> >
>
> Making all permissions optional (for the user) doesn't solve the
> problem, it just moves the arms race one step further. The app will
> attempt to acquire GPS coordinates, connect to the internet, etc. to
> test out its permissions and then say "Sorry, grant me my privileges
> if you want to use me," which doesn't get us anywhere. _Allowing_ for
> optional permissions does make sense. For instance Ringdroid (when I
> last checked) asked for internet privileges to allow an optional data
> collection feature to work. Unfortunately, the Ringdroid developers
> had no way of stating "this is an optional permission if the user
> wants to grant it"
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To post to this group, send email to
> [email protected].
> To unsubscribe from this group, send email to
> [email protected]<android-security-discuss%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
