26
Mar
image

One of the ways Android protects application users from unwanted activities is by requiring every app to declare a set of permissions and allowing users to view those permissions during the installation phase. Don't like what an app can do? Just don't install it.

However, this all or nothing approach doesn't allow you to selectively turn off specific permissions, so if you don't like that an application accesses your phone state, you can't just disable that and still have the app installed. This forces you to either potentially compromise your privacy or miss out on what could be a great piece of software. Annoying, isn't it?

A change to this core Android paradigm may be coming soon to CyanogenMod users in the shape of a proposed patch, posted to CM's bug tracker by psychoi3oy (clever name, isn't it?) and developed by Plamen K. Kosseff. The patch would add currently non-existent methods to get and set permissions for specified apps, together with a related Settings area and a new android.permission.REVOKE_PERMISSIONS permission that would guard the new methods.

Adds support for revoking permissions.

- 2 new methods in PackageManager: set and getRevokedPermissions.
- new permission android.permission.REVOKE_PERMISSIONS that guards the new methods.
- new widget that can revoke permissions and is to be used in Settings app.

Change-Id: I19aace30b6e2bd2075231f8a8581c22b428e86e8

Patches get submitted to open-source projects all the time, and having one in no way means it will be accepted by the project admins. However, Steve Kondik, aka Cyanogen himself, left the following comment, which not only didn't dismiss the patch but made its integration with CyanogenMod seem quite a bit more likely:

Steve Kondik Mar 24

Going to save this for 7.1.

If implemented, the new permissions would revolutionize the way applications are handled in CM, but I am foreseeing a lot of problems if apps are suddenly denied access to what they would normally be able to do. Considering that in Android, once a permission is granted, it is guaranteed, I would guess most developers don't ever bother to catch SecurityExceptions. Guess what an unhandled exception results in (hint: it rhymes with "Smores Roses"). That's right - the app will crash, and you will start experiencing conflicting feelings of safety and rage.

As an Android developer myself, I hope the CM team will take these consideration into account and in case the patch is implemented, it is tweaked in such a way that it would deny permissions by faking requested resources rather than outright refusing them.

If you are an application developer, we'd love to hear you think - share your comments in that sexy rectangular field below.

Source: CM bug tracker, CM Gerrit Code Review

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • http://www.cypher-sec.org thecolor

    I think this will be a great way to determine what apps are phishing rather then just doing what they are suppose to or say they do.

    weeding out honest vs dishonest in a way.

    A user should be able to just re-install the program in the normal fashion if it really fails to function with less access (assuming they want to take the risk)

  • JCopernicus

    First legitimate chance to call out the possibility of fragmentation for android. =(

    Don't do it CM!

  • http://twitter.com/benmarvin Ben Marvin

    I see a useful side to this as well. Testing out a potentially malicious app without allowing it to do any actual harm. Could be useful if used correctly.

    With great power comes great responsibility.

  • http://chrisbramm.co.uk Chris

    I think it is a brilliant idea. Alright I can see it causing problems and the devs who don't pay any attention to CM/Unofficial roms won't pay any attention to it but I can see those devs that do follow the rom community will start to catch security exceptions.

    I really do hope this is implemented and Google pick up on this, after all, look what happened to A2SD.

  • Daniel

    Judging by the fact that they're adding a new permission, I would guess that it would only apply if apps specifically said that they would allow users to revoke certain permissions. Thus, no force closes (hopefully).

    • http://www.AndroidPolice.com Artem Russakovskii

      Afraid you're misunderstanding what the new permission is for - it's for apps that can act as ones that can revoke permissions, such as an application manager app. Basically, it's there to watch the watchmen.

  • Philicibine

    I think, for CM this is a great idea. This again puts cyanogenmod at the forefront of android development.

    I completely agree about it causing force close nightmares.. but this is the kind of feature that will stick... And if the app developers take the possibility of this into consideration when developing apps.. then we might not have such a nightmare with force closes.

    In my opinion this is the kind of feature that will make it into mainstream / stock devices. Think about it.. its like an inbuilt firewall. SUPERB!

    Go cyangogen and teamdouche .. give the networks / manufacturer's something to ooogle over!

  • http://www.aaandroid.com/ Avi

    This is a terrible idea. First, apps that use the Internet permission just for ads are screwed. Take away my revenue stream and I don't develop apps, at least not free ones. Second, if this is implemented I hope the CM team is prepared to answer all my support email when some moron removes the vibration permission and my app force closes. I, for one, will not be adding checks to insure that permissions that are guaranteed to me are there. People need to take off their tin foil hats. Education removes all possibility of an app being dangerous. In nearly 25 years of using a pc I've never had a virus and I don't use virus scanner or protectors. I pay attention to what I'm doing. In my experience, people who install malicious apps could have avoided it by educating themselves. While this sounds like a good idea, in practice, it will break apps and cause people to bitch to developers. If an app requires a permission it's because it needs it, not because the developer felt like requiring random permissions. Personally, I try to ask for as few permissions as I can and only what is absolutely necessary and I suspect that that's what nearly all devs do.

    • http://www.anivision.org Xcom923

      Originally I thought this was a great idea but you bring up a good point. Now I have mixed feelings. As an aspiring developer I frown upon blocking ADs I think that's a terrible way to screw developers out of money and the ads aren't even that bad. I find then even helpful sometimes. But if they could make it so it wouldn't effect the ad system I could totally see google picking this up just like apps2sd. It is a better way to handle things and I do think that developers should check their permissions anyway (just good practice)

      • http://www.aaandroid.com/ Avi

        Google will never, ever pick this up. And if the Internet permission is blocked, so are ads. And I'm not sure why it's good practice to check for permissions since they will ALWAYS be there unless someone explicitly removes it in which case I want my app to break. If I ask for a permission then I need it for my app to function properly. Users need to either accept that or not use my app. I don't request permissions for fun. I request them because they're necessary for my apps to work.

        • http://www.AndroidPolice.com Artem Russakovskii

          I really hope they don't, and this change doesn't make it into CM. The system was not created to be used like this at all.

      • Brad

        You can already block ads quite easily. Just install adfree a free app available in the google market

    • Doucher

      You're making a lot of assumptions there. How do you know for sure you've never had a virus if you've never scanned. That seems ignorant and arrogant.

      • Ben

        I don't really agree. I mean its not that hard to tell if your computer is screwing up more or slowing down. Or if you've had your bank details stolen.

        • Andrew

          Or if they're just collecting your email to target ads. Or if they're relaying traffic through your machine for a DDoS. Or if it's set on a time-activation and just casually attaching itself to every file that passes through.

          I'm not an idiot with my PC either, and I haven't had a virus in the last decade, but it seems foolish to ignore that layer of security when there are several free and effective solutions available.

          Then again, I also wear seatbelts, so maybe I'm just paranoid :)

      • http://www.aaandroid.com/ Avi

        It's not an assumption. I've never had one. I've been around too long and know the signs all too well. People get viruses because they are careless and ignorant. Virus scanners are good for those people and the paranoid.

        • Doucher

          Which apps do you develop? The reason I ask is because I want to be sure not to put them on my phone. How does that factor into your vast experience? Especially since you don't believe in virus scanners.

    • Hirudin

      Aren't there already ways to block ads in Android?

      Also, if the majority of apps *need* the information they request and this new patch breaks the apps: you can bet that it won't be implemented. If this app doesn't break the apps: well, I guess the apps didn't need the permissions so badly afterall.

      Sorry, if I see an app needs permission to access my contacts I am very unlikely to install it. That's why I don't use Barcode scanner.

      I gotta go, but my point is: this may increase sales as well.

      • http://www.aaandroid.com/ Avi

        You are paranoid for no reason. Barcode Scanner? Really? It's an open source app. You can see EXACTLY what it's doing.

        • Hirudin

          You're assuming I can read the code... besides, that's only an example. Don't get caught up in the specifics - focus on the sentiment.

          Paranoid or not, my money is just as good as anyone else's. For better or worse my "paranoia" has prevented me from trying some apps.

  • gu1dry

    Um, psychoI3oy didn't submit the patch, he just linked the patch to the GCode issue thread....

    Please double check your info in the future ;)

    • http://www.AndroidPolice.com Artem Russakovskii

      I never said he submitted the patch - I said he posted it to the bug tracker, which is exactly what he did (he's on the CM core team as well). I'll clarify who the actual author is though - thanks.

  • http://dangerismymiddlename.com Paul Danger KILE

    I empathize with the developers that aren't looking forward to this.

    In order for the manager to pull this off it would need to wrap someone else's code (by calling it) correct? But that's code that the manager-writer has never seen. Are all Android programs standard-enough to make that work? If the manager-program shoehorns itself in between the UI, and app, then the manager itself can handle the exception, there is no reason to pass it all the way up... Scratch that: there are very good reasons to not do this. :-)

  • Devmil

    In general such a feature would be a great enhancement for Android (in my opinion). But only if the ad problem is solved. It is possible to block ads today (ad free / droid wall) but this would make it even more easy. We all don't like ads but this is the motivator for a bunch of developers providing their apps for free.
    Another problem would be the integration of such a feature without apps that can handle the denial of a permission. A "fake data" approach would be the only possibility in my opinion. So let the app use a dummy Phone Id or let the app believe that the data connection is not active.
    I'm an app developer myself and it would really hurt to get extra support requests for users that can flash a custom ROM but can't understand that when they deny the internet permission for a weather app that the app doesn't behave correctly.
    Just my 2 cents.

    • Falken

      The fake data suggestion is brilliant.

      Instead of blocking the request, it should give fake data instead. We could setup a fake location, fake contacts, fake gmail account, etc. And choose whether apps can access the real or the fake data. if we want to block the internet then it should also pretend the mobile data option is disabled.

  • Ken

    If instead of raising an exception, the APIs would return blank information, that would work.

    For example, if you revoke the location permission, the app could just be sent the same signal it would if GPS and cell location were off.

    Or for Internet, just a simple connection error. For contact info, just return an empty address book, etc.

    • Deon

      Yes. This is exactly how it should work. Just fake out the program, make it think the GPS is off, the address book is empty, the internet connection is down, etc. App would continue on just fine.

  • http://www.stealthcopter.com/blog Mat

    Ha, I just wrote a blog post complaining about the lack of optional permissions or the ability to explain permissions to the users. Good to know I'm not the only one annoyed by this.

    http://www.stealthcopter.com/blog/2011/03/i-think-android-should-have-optional-permissions-with-explanations/

  • Hirudin

    This would be so awesome!

    I'm donating to the Cyanogen team soon.

  • Falken

    In some companies the management have access to the Android Market crash reports. It's unfair for the developers to be given a hard time about the number of crashes occurring. (Quite often the developers try to limit the required permissions but business managers typically want the app to access your contacts book, etc).

    • Deon

      And why would business manager's want the developer to have their app access the contacts? Something shady? I say we feed 'those types of programs' a fake list, program continues on just fine.

  • William

    A better option IMHO is to allow a developer to indicate which permissions are mandatory and which are optional and only allow hte OS to siwtch off the optnal ones.

    This lets a developer craft an app that can use the internet to provide some capability, but the user can switch that off.

    The developer knows which permissions might be switched off and can enable/disable capability on that basis.

    Otherwise we are saying that all apps are restricted to what can be done on phone without access to any phone devices (camera, GPS, internet, vibrator) or embedded components (Contacts etc). That's a very shallow gene pool of apps.

    • http://www.aaandroid.com/ Avi

      This is actually a really good suggestion. It can get complicated but a nice compromise. The dev can inform the user that in order to use this feature they would have to enable a particular permission. But, for example, I can require Internet permissions for ads that are not optional. Very nice.

    • http://forum.xda-developers.com/showthread.php?p=12161601#post12161601 Plamen

      If you ask the ad network they need access to ALL just to show you relevant ads.
      Do you know that AdMob code will actually try to read your contacts despite it has checked that it has no permission.

      And don't get me wrong I think ads are annoying but necessary. But I don't think they need to know where I am, who I am and which people I have in my contact list.

      • William

        Not true. AdMob requires Internet only.

        If you provide other capability like Coarse Location, "Fine Location" they will use that to show ads more selectively.

    • Deon

      This is ok in a perfect world, but this would require a lot of work from a lot of developers on a lot of apps. Restructuring the entire permissions system. And why would any user intentionally allow the 'optional' services, most security minded users would just uncheck all the 'optional' services. So if a developer writes a fun simple game but with the intent of gaining information from you like your contact list, why would he want to mark that service as optional? It'd be 'mandatory'. There are a lot of shady developers pulling in information that they really shouldn't be and you can't trust all the developers out there to be honest. This proposed patch gives the user more control, by being able to specifically deny, like a firewall, programs from accessing certain data, or better yet, providing fake data to those programs so they're none the wiser. I have no problem feeding in my fake contact list to programs that want it. Only programs that interact directly with my contact list need that specific permission and access to the real list.

      • William

        Lots of work yes. But IMO if the current proposal becomes common it would break the fabric of the Android ecosystem.

        Aside from access to the CPU/screen and permanent memory, EVERY other device/component could be rendered unusual by this proposal.

        Do you really want to make it impossible to geotag photos because
        1) Camera access was switched off
        2) GPS was switched off.

        Either the app crashes or (if given fake data) it behaves unpredictably and can no longer be relied upon.

        Better if the app can be defined with Camera as mandatory and GPS as optional. Then you as a user can choose whether to install it (with Camera permission) and whether to allow GPS. And the developer knows to check for GPS permission before using it.

  • William

    He he, I wish I could claim ownership.

    But its been discussed on and off on the developer lists for the longest time.

  • http://forum.xda-developers.com/showthread.php?p=12161601#post12161601 Plamen

    Hi, I am the author of the patch. And my initial intend was to make a pop-up dialogue that will ask the user what to do.
    But this proved quite hard so I made the current patch to see if there is interest in such feature. I've submitted it to CM because the mod I've started proved to be too much time consuming for 1 person to actually support for multiple devices.

    My future plans are:
    1. to make it configurable so permissions can be revoked by default at install time i.e. INTERNET.
    2. to make a pop-up that asks the user.

    Even if CM reject the patch I will still be providing builds of my mod http://forum.xda-developers.com/showthread.php?p=12161601#post12161601 at least for some devices. I hope there will be enough interested people to create a modes community.

    • William

      Plamen, kudos for the patch.

      I just don't think in it's current form it is a good idea.

      The intention is good. I don't want apps to have unauthorized access to some parts of my system either. My solution is to not install apps that access certain areas unless they provide a compelling reason to do so.

      But by allowing the user to remove access to all permissions of an app means that developers have very little scope over what to offer and are left uncertain over what parts of their app will fail at runtime.

      If this mod does get wide spread usage in its current form then I expect many apps to start explicitly checking for a list of mandatory permissions and halting if they are not found.

      • http://forum.xda-developers.com/showthread.php?p=12161601# Plamen

        It is actually up to the user to allow an application to do something not to the developer.
        The developer may request access but the user has final say. This patch gives the power back to the user.

        With the current patch if the application self check for permissions (admob code does) it will appear that it has all it has requested.

        The above is why I know that admob try to read your contacts.

        • William

          But what you are advocating is that an application would need to check permissions for every act that it does, AND (and this is the problem) be able to have a valid fallback position if that permission has been vetoed.

          For most apps that is an impossible scenario. What is the fallback for my app whose sole purpose it to retrieve the latest football scores from the net? A blank screen?

          As I mentioned above, this mod would result in a lot of apps just their mandatory permissions and bailing on startup if they are not available. So in effect you would get my mandatory/optional solution proposed above. It would just occur under the covers.

          Lock down is fine.
          But it needs to be tempered with realism.

        • http://forum.xda-developers.com/showthread.php?p=12161601#post12161601 Plamen

          Well let me see...
          1. I've downloaded an app that shows latest sports scores. Am I stupid enough to revoke its access to the Internet since the only thing it does is download stuff from the Internet, sure I am not.

          2. I've downloaded a application that makes my wallpaper move. Am I stupid enough to allow it access to the Internet and my contacts, sure I am not.

          So you have to trust your users that the know what they are doing.

          And just to clarify trying to create Sockets for example without INTERNET permission is equivalent of trying to access internet without active connection. So your application HAS to handle that anyway.

        • William

          As I said, we need to inject a bit of reality into this discussion. Of course users are going to switch off permissions that are required by the app. This mod will give them the power too, so they will do it.

          The mod provides no way for the developer to indicate which permissions are mandatory and which are optional, so users will believe they are justified in switching any/all of them off.

          Better switch off that nasty internet permission, I might get Ads !!!! There go the footy scores.

          "trying to create Sockets for example without INTERNET permission is equivalent of trying to access internet without active connection"

          FALSE: One returns a HttpResult of 404 (expected behaviour), one force closes because a RuntimeException is thrown due to permission failure.

          There are 114 permissions as of API 11 (Honeycomb). Some are relatively inoccuous such as android.permission.VIBRATE, but this mod would mean that developers will need to assume that the foundations of the OS could be pulled on them at any time.

          It would
          1) cause existing apps to fail
          2) dramatically increase the cost of development

          As an idea its a good start. But in its current form it is unworkable.

        • http://forum.xda-developers.com/showthread.php?p=12161601#post12161601 Plamen

          Hmm why do you imply that anyone will expect the developers to actually care about that (except for the ad networks which will make anything possible to detect the mod and fail only for that reason).

          As a user I will expect the application to stop working at least some parts of it if I revoke its permissions.

          And to return the the INERNET permission this is an exception thrown when the app has it revoked

          java.net.UnknownHostException: example.com
          at java.net.InetAddress.lookupHostByName(InetAddress.java:506)
          at java.net.InetAddress.getAllByNameImpl(InetAddress.java:294)
          at java.net.InetAddress.getAllByName(InetAddress.java:256)
          at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:136)
          at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
          at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
          at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:359)
          at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
          at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487

          So you should handle that any way :)

    • Andrew

      As both a developer and an end-user, I think this is a great idea. I can think of several great apps (based on reviews) that I haven't installed because they wanted access to permissions irrelevant to their function. For all the developers who want to control every factor in the end-user environment, go write for iOS, I hear the garden is pretty.

  • Deon

    This is a great idea! Some times seemingly simple, but nice, apps seem to want TOO much information from my phone. But my choice is to not use the program, which generally sucks. Think of this like a firewall for programs. Limiting what they can and can't get from my phone. I do see the problem of it making programs crash because the 'game program' fully expected to be able to read in all my 'personal contacts', but emulating or faking the data seems to be a good fix. Just feed it a fake list of contacts and such. Program doesn't know the difference, my personal contacts are safe. There's all kinds of invasive information seemingly simple programs need that I don't want to give, why not be able to fake that information. Think of it as isolating the program in a chroot jail. I also agree that most developers and such don't pay attention to CM, only official ROM's, so this little feature of CM7.1 would mostly go unopposed. This will rock!

  • name name

    As it's been stated before, this gives the user the control that should have been there in the first place. If a user breaks functionality, it is the user's problem. Enough with this dumbing down of everything. The app developers need to stop asking for much too much permissions. This is not paranoia, this is healthy critical thinking, especially this day and age when everyone seems to want to get as much of your private info as possible. To continue with the Barcode scanner example, if I'm not mistaken, their reason for wanting access to system log (or some such) is that "it can be useful for us". Well, I want the option to decide that this isn't convincing enough for me. I have no interest in seeing ads at all. There are plenty of people who develop open source, free software without ads, or non-free software without weird behaviour so I'm not concerned about that.

  • Daniel

    There ARE *DEFINITELY* TOO MUCH Apps requiring TOO much rights!

    I will NEVER install any app requring the right to send SMS/MMS or make Calls.

    I don't understand why the latest Angry Birds update now needs to know my phone number and whom I am connected to as well as my location. It worked fine without that, before.

    Google should REALLY enhance the Android system with

    a) a global right restriction setup function (personally I would disallow sending of SMS/MMS and making calls the totally for any other app than the dialer and message App shipped with the Phone)

    and b) introduce a 3 level warning system, where "green" means: App doesn't want dangerous rights (e.g. just want to load Ads), yellow: App want Medium Rights and Red: App wants rights that are inaccepptable in 99% of the cases (as said: sending messages or making calls, access to phone book)

  • mike

    What the app-developer will do then is to check that it(the app) has these priviligies. if not-> the program will not run.

    I totally can see the need for the user (who don't see the point that a app want to send sms /read contacts et.c. unless its a sms-app). There are malware out there, we must not kid ourselfs.
    But i totally understand that developers will feel robbed if their revenue is decreasing.
    (thats the only valid objection i could find) catching errors is one of the most important programming task i can think of (others may not concur).

    There are many applications that i want to use but simply do not because i feel if the app ask for much permissions it's not doing what i think i should be doing.

  • charles

    I lay the following scenario at the feet of those who think this is a bad idea.

    The company I work for has decided finally to be able to give us resources on our phone such as email and calendar which is great, the only problem is that along with that the app also goes and can give access to anyone with permissions to view all the files I have on my phone, where I currently am with the gps, what apps I currently have on my phone they can also blacklist apps to prevent me from downloading them and remotely wipe my phone.

    Now I don't know about you but to me that seems like complete overkill for a app to get hold of my email and calendar.

    I understand what the developers are saying that it will probably cause a large number of issues since users will start disable functions that are required by apps but I do think that the question needs to be ask just how much information does an app need to perform it function. I know this will be considerably harder but perhaps instead of the mod just disabling access to the functions themselves perhaps it should disable where that information can be sent after all who care if an app takes your gps information if it can't then send it anywhere.