Today’s Android permissions system has many short-comings. While perhaps a decent starting place for development of a more robust solution, the existing implementation is minimally effective at fostering good security practices.
Consider the last time you installed an app — did you look closely at the permissions? I sometimes look out of curiosity, or to make sure they are not blatantly egregious. But, even then I often assume someone else has scrutinized the application for me.
A revised system might foster a “Permission on Demand” model, as implemented in most modern Web Browsers. As non-core features are needed, the user is able to allow or disallow the permission — optionally, to always or never allow. Some more elevated permissions — those sensitive to the user’s data and identity — might always require explicit consent.
The new permissions system would extend the existing infrastructure beyond the all-declarative
uses-permission element, to include a new
requests-permission element. Required permissions would then only be those necessary for basic operation of the application. All other permissions would be declared with
requests-permission. At install, these could be set to “Never,” “Always”, or “Ask me.” The default would be “Ask me.”
Much later, when the user has forgotten the particulars of this interaction, the application might try to request an optional permission. At this time, the user would make a decision appropriate to the context: “Not now,” “Never,” “Yes,” or “Yes, always.” In the event that the User decided to deny the permission, the application would display an error message stating that the functionality was not available — or degrade gracefully. Up until then, however, the application would have been entirely functional as expected, operating perfectly happily without the permission.
Now this all sounds like the Web. In many ways, as horrifying as Web programming and security has been throughout its lifetime, the infrastructure seems to have gained a certain degree of maturity. Here, for example, we either evangelize a mass movement to HTML5, or make a request to “forward-port” a better permissions model to Android.
So who’d like to code this up?
© 2019 nosemaj.org