The excessive permissions “requested” by Android apps as part of the download process annoys and concerns many users who fear these apps will collect personal information or expose their devices to vulnerabilities. I’ve written about this topic a couple of times (here and here) since last December.
Now the situation may be worse than ever, thanks to a new policy intended to make the apps permission process simpler in Google Play.
The redditor guy found out how the policy works first-hand by creating and publishing and updating an app in the Play Store. Specifically, the new policy organizes apps permissions into related groups. Fine. But according to the redditor, “if you approve one, you have approved them all.”
Google says as much itself in its policy update: “Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted.”
What Google seemingly means is “you won’t be able to manually approve individual permissions updates.”
Well, some users would like to make that choice.
They also probably would like to know if other permissions are granted to apps that automatically update. But they won’t even know about the updates or extra permissions, as Hoffman explains.
Getting back to the choice question, Google offers this for reluctant Android owners:
“Users who wish to have full control over new individual permissions being added to an app can review individual permissions for an app at any time, or may consider turning off auto-updates for one or more apps. Any permissions that are not part of a permissions group, including those that are not shown in the main permissions screen, will be shown in the ‘Other’ group.”
Gee, that sounds convenient.
Google has created a dozen specific permissions groups, along with a catch-all “other,” including “in-app purchases,” “device & app history,” “cellular data settings,” and “identity.”
Let’s take “identity” as an example. As the Google policy seems to read, if you approve an app that requests permission to “find accounts on the device” -- which is the first function listed under “identity” -- you also are permitting the other “identity” functions: “read your own contact card,” “modify your own contact card,” and “add or remove accounts.”
Under “contacts/calendar,” a user who approves “read your contacts” also unknowingly approves “modify your contacts,” “read calendar events plus confidential information,” and “add or modify calendar events and send email to guests" without owners’ knowledge.
I bet it doesn’t even feel like your phone anymore!
A third-party developer named SnoopWall last December released an app that allowed Android users granular control over apps permissions. It’s worked very well for me, but I’m not sure if it will be able to detect and alert users to permissions coming in on apps updates.
It’s hard out there for an Android user.