Conditional app permissions

Warning: This blogpost has been posted over two years ago. That is a long time in development-world! The story here may not be relevant, complete or secure. Code might not be complete or obsoleted, and even my current vision might have (completely) changed on the subject. So please do read further, but use it with caution.
Posted on 06 Aug 2014
Tagged with: [ Android ]  [ permissions

I know: free software comes with a price. Most likely this price is your privacy. I’m not talking about 3-letter agencies snooping in on each and every call or email, but the “normal” companies, setting up user profiles based on your addres sbook, phone calls, emails and whatnot. And nobody seems to care: we don’t mind selling ourselves if it means we can enjoy the next 5 minutes on flappy bird, sending 2-letter messages to others, or by sending poor-quality pictures to each other. 

But not every developer is in the business of collecting your data. Sometimes, a developer honestly don’t care about who you called, who is in your address-book, and doesn’t want to read your direct twitter messages or even write to your twitter timeline. But developers are often forced into a category that doesn’t distinguish between the “good” and the “bad”.

Take twitter for instance: there are 3 permission settings a developer can choose from when creating apps that uses twitter:

  • read only access
  • read and write access to tweets
  • read and write access to tweets and to direct messages

So if you write an app to categorize your tweets, including your direct tweets, you MUST ask the user permission for even writing them, all though it’s never the apps intention of writing. Unfortunately, some app developers abuse this power to tweet out that user X is using app Y in order to boost sales, which is why more and more people are hesitant on giving such powerful permissions. Sure, an app COULD behave and maybe most of them will, but the whole OAuth principle is based on granting just enough rights for apps to do their business with your permission, and nothing else.

In this case, twitter could change its permission system into a more fine-grained setup. It would be easy enough to set up a permission scheme that allows access to direct message without any write permissions. But it doesn’t which forces me (and many others) to not install any apps (or connect to websites) that have read/write access. There is no way for me to verify that the app or site is trustworthy enough not to abuse the power I give them.

It gets even worse with android applications. On this platform all applications have a range of permissions they can choose from. There are permissions for making phone calls, using the camera, using network, accessing bluetooth and what not. There are a ridiculous amount of permissions to choose from, but this is actually a “good thing”(tm). Because now a developer who wants to use the address book doesn’t automatically gets permission to view emails. Or somebody who wants to make phonecalls, doesn’t automatically gets permissions to record them. Seperation of power is always a good thing, and the more fine-grained the permissions the less abusive an app would be.

Unfortunately, it doesn’t really work that well in practice. There is a big catch for these kind of apps: either you accept all permissions an app asks for, or you just can’t install the app.

But doesn’t it make sense? a developer specifies it needs to use your camera AND wants to access your address book. 2 permissions that must be accepted in order to let the application work right? Unfortunately, this is not how most applications work. Let’s consider the permissions of the mobile android app of my business bank the ABN Amro banking app:

  • directly call phone numbers
  • modify or delete the contents of your USB storage
  • test access to protected storage
  • take pictures and videos
  • full network access
  • view network connections

Let’s check these permissions in detail and keep in mind we’re dealing with a banking app: an app where i can check my banking account and possible send money to other accounts to.

Directly call phone numbers
What is says on the tin. The application is able to call phone-numbers. This could be a simple helpdesk, but it could also be a paid-number which costs 25 euro per call. In any case, you just gave it permission to do so.

Modify or delete the contents of your USB storage
What exactly should a banking app be modifying on your USB storage (the thing where you most like store your photo’s and such?)

Test access to protected storage
This will allow the app to test if it can access things like your SD card.

Take pictures and videos
If any of the above permissions didn’t creep you out, maybe this will. A professional banking app in the business of taking pictures and videos. Obviously!

Full network access
This one I understand: in order to connect to my bank, it must use the internet for this reason. A permission that is actually needed.

View network connections
A permission to check if (and how) you are connected to the network (wifi, 3g, 4g etc). A nice-to-have, but really optional permission.

So how many of these permissions do we really need in order to do our banking? Only one: full network access. Everything else is optional, but you CANNOT USE THE APP WITHOUT ACCEPTING THESE PERMISSIONS AS WELL.

That is right: in order to do banking, i must give the ABN ambro permission to call every number they please, and let them take pictures or video’s.

So what is my bank really doing with these permissions? We don’t know 100% sure. The app isn’t open source, so we can only guess. It’s likely, but not guaranteed that these permissions aren’t being abused. Although, keep in mind: it’s an app from a bank.  Inside the application, you can create a photograph of a bill, and the app will automatically fill in all the payment data so it saves you some typing. It’s a feature that I don’t use (and I don’t know anyone who actually uses this), yet we are forced to accept these permissions.

Take a look at this screen:

Screen Shot 2014-08-06 at 10.18.22

See the little “scan acceptgiro” label plus button there? This is where the majority of permissions are needed for.

Conditional permissions

Suppose a developer uses two lists of permissions: mandatory permissions and optional permissions. One is a list of permissions that are key to the application, in the bank’s case: network permissions. All the rest are placed in the optional list. As soon as I want to install the app, the store will show me a list of permissions but instead of just one accept-button, I can choose which optional permissions I want to use. Don’t want my bank app to take pictures, just disable the permission.

From the app’s point of view it could check if we have picture-permissions or not. If it hasn’t, just don’t display the “scan” label and button. Do we have the permission: add the button. Don’t want to automatically call the helpdesk? Fine, here’s a window with the number instead.

Obviously, it’s still not a solution to everything. Developers could place everything on the mandatory-list but at least they are given a choice, which allows the “good” developers and apps to create decent apps with decent permissions.

Let’s hope more mobile application will follow this app’s example: