The latest version of the Play Store hit the scene a little over a week ago and introduced a tweak to the way permissions are displayed at install time, and it left some people feeling a little...uncertain. Gone is the ugly wall of poorly spaced, semi-specific permissions. The replacement is a short set of simplified categories, each with crisp-looking icons and buttons that reveal a brief description when tapped. Google filtered through roughly 145 permissions and narrowed them down to a dozen groups, plus one bucket for anything that remains. The list can be found here.


Left: old Play Store. Middle and Right: new Play Store

It's safe to assume Google discarded the old interface to make the install process a bit less distracting and more comfortable. After all, a granular list of specific technologies, sensors, and communication methods could be a bit daunting to the non-tech savvy people that make up the majority of Android's user base. For users that still want to see the previous version of the permissions list, it's still available at the bottom of the app page, accessible through a link titled "View details." A similar display is also present on the web store.

The Catch

Unfortunately, this relatively simple revision has introduced a few potential security and privacy issues. The first concern is one of simply hiding more serious permissions in innocently named groups. For example, the rights to reroute outgoing calls and modify the call history log are found in the "Phone" category.

The real problem becomes visible with app updates through the Play Store. When new permissions are added, there are no outwardly visible signs that anything has changed so long as no new categories are added. For example, an app that had already been authorized to read the call log can add permissions to make calls without intervention, and there will be no warning when it comes time to download the update. In the past, app updates clearly identified new permissions and prompted users to authorize each update before it could be downloaded.

Note: Installing or updating apps using an apk on the device (or another app store) will still display the standard permissions screen, which displays the full list without modifications.

2014-06-10 20.02.002014-06-10 19.58.172014-06-10 19.58.28

Left: Play Store update with new categories. Center and Right: Updating locally from an apk.

Another aspect of this situation to be worried about is the 'Other' category. All permissions that don't fit within the 12 regular groups are dropped into this bucket. This can include some perfectly common and innocuous items like running at startup and preventing the phone from sleeping. However, it also includes more powerful features like drawing on top of other apps, reading and writing web bookmarks, and accessing Bluetooth and NFC. Most -if not all- of the permissions in this group won't even trigger the Other category to appear during installation, giving the appearance that an app has virtually no access.

3rd-Party App Permissions And Root

3rd-party apps can create their own custom permissions, and those are bundled into the Other category as well. Fortunately, these specialized permissions will always activate this listing, but it's not clear if they will always flag users for manual confirmation if the group is already present. One of the most important examples of this is ACCESS_SUPERUSER, the permission used to communicate with SU managers like Chainfire's SuperSU and Koush's Superuser. At this time, the only text reflecting this permission simply reads, "full permissions to all device features and storage." (Note: These descriptions are provided by whichever superuser app is installed on a device. That text is currently identical for both apps.) Of course, Root managers generally prompt users before acting on a request for root, but the entire point of the permission was to make root apps more visible in the Play Store.

2014-06-10 06.45.102014-06-10 20.07.10

Left: SetCPU with the barely visible root permission. Right: Twitter app with its own permission (both are on the second line).

Combining fairly non-threatening group names and with a lack of transparency could make it easy for less honorable app developers to take advantage of unsuspecting users. The Play Store is effectively burying some very powerful features where users aren't likely to notice them. As many people have been pointing out, something as generic as a flashlight app with access to the camera (required to turn on the LED flash) can be quietly updated with new permissions and code to record video and audio without notifying the user, then they can send anything collected over the Internet. While examples like this may sound alarmist, we can probably expect this behavior eventually.

Why Make This Change?

Allow me to play devil's advocate for a moment. These changes aren't exactly great for users that keep a watchful eye for new permissions. But how many people actually read the permissions when they install an app? When presented with a sizeable scrolling list, filled with vague phrasing and unfamiliar terms, most people tap through the dialog without giving it a thought. If users already don't know what they've agreed to, it hardly matters when similar permissions are added. I can already hear the groans, and I know you're dying to jump straight to the comments to tell me how I'm wrong — but trust me, I'm right.

It's not that people shouldn't know what they are allowing apps to do, but most of them simply aren't qualified to understand it, or they just don't care. Google is slowly adding policies and banning apps that are indisputably bad, but only so much can be achieved without directly curating the Play Store like Apple, Microsoft, and Blackberry have done.

In an ideal scenario, this will ultimately end with an overhaul of the Android permission system, which has scaled admirably with the changing demands of the market, but there are certainly areas for improvement. We're more likely to see further refinements to this interface, possibly with some hints when higher-risk permissions are added to the list.

Whatever the case, it would be wise to keep a closer eye on updates and abnormal behavior of your installed apps, at least those that aren't from highly trusted sources.

Source: Google

Special thanks to iamtubeman.

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • http://www.williamint.com William Aleman

    For this I still prefer the iOS way of things. You download the app, and when you use the function that needs access to your contacts it ask you if you give access to the app.

    • Imparus

      Yeah I really hope Google start to to rethink their approach, it is quite outdated and doesn't protect the common user well :-/

      • a

        And seeing that Google made this change 3 weeks away from Google IO I can see they've locked the direction they're heading in, which is not good at all.

        • RebekkahBooseyesu

          parents in-law recently purchased an almost new yellow Audi Q5 SUV only from
          working part time off a laptop... pop over here C­a­s­h­d­u­t­i­e­s­.­C­O­M­

    • joeljfischer

      Exactly, this way you aren't presented with a wall of text, agree without thinking, and suddenly you're screwed. Piecemeal permission breaks that flow up a bit and makes the user make a conscious decision to allow something. Really hope there's a permission overhaul in the works.

    • MKx

      Even my old Nokia S40 had permission system that allowed this. You could set it up so you get asked every time the app request access.

    • darkdude1

      Wasn't this what appops allowed you to change? I'd love to see a similar thing in the next version of Android.

    • shonangreg

      Agreed. I first noticed this a few weeks ago when showing a friend how to send her location through Viber (like LINE) on her iPhone. At first use, it asked if she wanted the app to be able to share her location. "Genius!", I thought.

      Not only did she know when, exactly, an app was trying to do this, but she was also apparently able to use the app with that "feature" disabled.

      This is far better than the "click-and-forget" system on android. Most android users pay no attention, and then we never know when the permissions are be called upon.

      • Wes

        To be fair most iOS users probably just click yes and move on without reading any of it anyway.

        We have to remember that the average user doesn't read anything that has a Okay, next, yes or cancel button, they just click whatever takes them to where they need to be, regardless of OS.

    • Russ Brown

      I don't see why they can't have a hybrid approach. Allow the developer to declare certain permissions as being optional, and prompt the user to confirm the first time the permission is requested at runtime. Certain things will be essential for the app to run, and in those cases it makes sense to obtain permission up front, rather than ask the user explicitly for each required permission.

      One advantage of that is that if they're clever, they can implement it in a way that is backwards compatible. Just add an attribute to the uses-permission element in the manifest that identifies it as being optional. Previous versions of android would just treat it as an up-front permission, which is no worse than the current situation. Newer versions wouldn't mention those permissions until the app actually tries to use them.

    • impulse101

      Agreed, i also prefer communism over democracy as well. I want as little choice as possible.

    • alex0000000001

      Sounds tedious. Can you turn it off?

  • http://www.androidpolice.com/ Artem Russakovskii

    My tl;dr, which is basically the stuff I jotted down for our internal TODO tracker.

    OK, I finally understand what's going on.

    https://support.google.com/googleplay/answer/6014972 explains it all.

    This does seem pretty bad because the Play Store until the new permissions were added in http://www.androidpolice.com/2014/06/01/google-rolling-out-play-store-v4-8-19-with-paypal-support-simplified-app-permissions-bigger-buttons-and-more-apk-download/#simplified-permission-lists would prompt to auto-update any apps adding any single permission.

    1. That's no longer the case. Permissions are now grouped into groups. The problem is if you install an app with, say, only one innocent permission from group SMS (like Read SMS), and then the app is updated with more permissions from the same group (like send SMS), the Play Store will no longer tell you this and will just apply the auto-update as if no new permission was added.

    2. The install/update prompt that has simplified permissions now doesn't even display the exact permissions when expanding such permissions in the list. Literally, you will have no idea what exact permissions are getting added.

    3. If you sideload an APK with new permissions, you will be correctly presented with a list of all new itemized permissions, like the Redditor screenshotted here http://imgur.com/a/we8yJ. So the issue is only with the simplified permissions that the Play Store itself now uses.

    4. Additionally, some permissions are no longer reported in the user-facing update/install popup at all. Like the "full network access" permission. This full itemized list is still available by clicking View permissions at the bottom of the listing ( or http://www.androidpolice.com/2014/06/02/google-adds-a-view-permissions-link-to-the-web-play-store/ on the web, the addition of which now makes complete sense).

    • jj14x

      tl;dr - if you really want to review the permissions, sideload the apks (or review permissions on the website and then install). Got it!

      • abqnm

        Actually it is more along the lines of just always scroll to the bottom of the Play Store listing and view the permissions. Here it will still identify any new permissions, whereas if you view them from the update box, they are only listed the first time you install or if any new permissions are added, and it doesn't notify you which ones are new. Otherwise it just says no new permissions are needed and installs.

    • abqnm

      I am not entirely in agreement with #1. For the last two weeks, I have updated many apps that have only added one permission in a group it has already received permission for and when I update, it shows me all the groups again, telling me at the top new permissions were added. It doesn't actually highlight what is new unless you go to the list at the bottom of the page, but it does show that something changed and it lists the category permissions requested. I was actually expecting it to work like you describe, but that hasn't been my experience. It was actually annoying me because I kept getting apps with new permissions and it just listed the whole list again, rather than just the new permission like it used to.

      To fix, they could simply add back the "New" tag to any category that has new permissions, like they did with the full permissions list before. And they should put the link for the full permissions in this dialog as well whenever there are changed or new permissions.

      I don't have any apps with pending updates and new permissions, but next time I do, I will take a screenshot.

  • Michael

    New AP logo again...

  • ololol!!1

    Google has to learn a lot from iOS in this aspect. XPrivacy ftw!!!

    • b9876

      How? The barrage of modal dialog boxes, when you run newly installed app? That's surely user's friendly! /s

      • InfiniteLast

        It seems to be user friendly because iOS is constantly called out as a really user friendly OS. So idk what point you were trying to make, it fell flat.

        • impulse101

          Victim of marketing.

  • randompsychology

    I'm fine with the simplification, but they at least need to flag which group contains the changed permissions so the interested can go take a peek before approving or rejecting.

    • http://www.androidpolice.com/ Artem Russakovskii

      That's the whole point - doing that would be the old, proven, and safer way of doing things. Simplified groups aren't the problem - not getting a manual approval popup before auto-updating and not flagging groups with new permissions is.

      • abqnm

        You do get an approval pop-up. It tells you permissions have changed and then just lists the whole list of simplified permission categories. It doesn't highlight the new permissions, but it does at least tell you there are new permissions. On the contrary, if permissions don't change, it just tells you that and doesn't display the permissions again and skips the confirmation if batch updating.

  • Woodrowe Bones

    Why is Google catering to the users who dont read the permissions and just tap through the dialog? Is it that big of an inconvenience that now the users who DO use that list should lose that feature? It makes no sense. At the VERY least make it an option in the settings to "Always display updated permissions" or something similar

    • Barnassey

      Google is slowly but surely moving away from being dev friendly to consumer friendly. its been going on for a while.

    • Sir_Brizz

      They are catering to making the permissions easier to understand. The old permissions were ideal for power users, but an average users wouldn't understand most of them so skipping was easy. At least now they know what functions of their phone an app might utilize.

      • Woodrowe Bones

        This doesnt make them any simpler.... they still show the same way when you initially install the app. But now the dev can update the app to add more permissions without the user knowing or seeing any prompts. It still doesnt make sense to cater to the user who doesnt understand... they can just continue to not know what they mean and those who do can use the feature as it was intended

        • Sir_Brizz

          No they don't. When you install an app from Google Play, you see a set of simplified permissions. When you get an update, you see a set of simplified permissions. When you accept to install the app, you are basically saying it can have free reign in whatever permission groups you gave it access to.

          When you install an app manually, you see the complex permissions. When you update an app manually, you see the complex permissions.

          • Woodrowe Bones

            We are arguing the same thing. Google introduced the simplified permissions thing but it would still let you know if an update wanted more permissions. Now if its in the same group it wont let you know at all. So now if an app requests "Read Contacts" but mentions nothing about Calendar the dev can later update the app to access the calendar without the user getting any kind of prompt

            EDIT: http://www.reddit.com/r/Android/comments/27n7yr/what_latest_changes_to_play_store_app_means_for/

            That sums it up. Hey I installed Talking Ben for my kid because it didnt have any permissions that were concerning to me.... then the dev updates it and it can format my filesystem?

          • Sir_Brizz

            The point is, for better or worse, there is no such thing as a "Read Contacts" permission on the Play Store anymore. I'm not really commenting on whether or not the permission groups are better because I can see how that /r guy was making sense. But this article and that post are claiming that you can request a permission and then secretly request another permission *and that is completely incorrect*. You technically can't request an innocuous permission like Read Contacts without making people approve much worse permissions for your app. For better or worse.

            As an end user, all you know is that you gave permission for both things to an app. App developers should be more careful about the permissions they request.

          • abqnm

            Not true. With the new system, if ANY new permissions are added, you are notified with a pop-up telling you the permissions have changed. It just doesn't identify in this dialog what was added. It just lists the whole list of simplified permissions that it uses. If you update an app with no new permissions, the box just says "This app requires no new permissions" just like it used to.

            So all that has really changed is that instead of telling you specifically what is new, it just tells you something is new and then lists all the categories.

          • Woodrowe Bones

            Check the reddit link... No prompt

          • abqnm

            That's funny... I have had this play store version for a few weeks and I was being driven nuts by certain apps telling me that new permissions were added, but it not telling me which ones unless I backed out and went to the details at the bottom. I will admit it was frustrating because I kept getting the confirmation prompts but I couldn't figure out why, since there were no indicators showing what was added. I was expecting to see the "new" tag on at least one of the categories, but no dice. Still though, it has asked me for confirmation every time something was added, though as I said, it just doesn't say what was added.

          • Woodrowe Bones

            The thing is if you were to install that app initially and it was requesting those permissions they would be listed in their specified group. So you would see that it is requesting permissions to format your filesystem. So if User A installed the app a long time ago they wont see any permissions updates even though they've changed but if User B now tries to install the app for the first time they will see the changed permissions. That is the problem. Previously (even with the groups I believe) if an app tried to use a new permission in the same group you would get a prompt when you update

          • Sir_Brizz

            The simple permissions don't tell you which specific permissions were requested, though. They tell you what permissions can be taken because of approving that group.

            Ever since the permission groups have been added, you can request a group and use any permission in that group without the user ever being prompted to approve it. Because they already did.

  • Sir_Brizz

    Guh... do we have to latch on to dumb things like this? The headline is too sensationalist.

    First of all, in iOS you can't even see all of the permissions an app might use, only the ones you can control. That is not a good thing for iOS, these simplified permissions are still better than that.

    Second, you can't "secretly" request new permissions. When you request a permission from the group, you are given access to that group. Where you have a case is that the category titles may seem innocent where the app can actually do quite a bit more. The "root" one in particular is kind of misleading, but Google doesn't really have a way to say "this one is dangerous so be careful". Maybe they should, but that is a different article with a different headline.

    • Bob

      So if requesting a permission from a group essentially gives access to the entire group, why have the sub-permissions within the group at all?

      Or even with the sub-permissions, let's look at an example: the official Twitter app.
      The requested permissions include read your contacts (so now read, delete, add, edit your contacts and calendar items), read text messages (so now also add, edit or delete text messages), read phone status and identity (your phone number, who you called, who called you), and of course the 'other' group. All this in any context.

      The iOS approach of not showing permissions an app might use is (I agree) not a good way of doing it. To be fair, because the Apple store is very tightly curated this is probably less of a problem than the free-for-all that is Google Play, but I still find it silly. However, there are advantages to asking for user confirmation on first use. It specifically contextualises the use of the permission, and also means that if the permission is being used out-of-context then the user is aware. If I click 'find my friends' in Twitter and it then asks to use my contacts then sure, that makes sense. If I haven't even set up my twitter account yet and it is trawling my photos and location then I'd be a bit more perturbed - except that with Android I'll never know.

      • Sir_Brizz

        I honestly don't disagree that this is probably a bad move in general, or at least it still needs further refining before it is good. However, articles like this are making it seem worse than it really is. Like apps are magically and secretly stealing information that you never gave them access to (you actually did).

    • taligent

      You've never actually used an iOS device before have you ?

      On iOS it is very normal to simply click "no" when an app asks for access to your Contacts or Photos. Nothing breaks. App continues as normal. And having the popup appear immediately when the app needs it makes it easy to understand what and why is happening. So you're never surprised.

      What Google has done is shockingly bad.

      • Sir_Brizz

        I have a bunch of iOS devices in my house.

        iOS only tells you the permissions that you have control over. Or do you really think that apps can't see what the state of the phone is, for example? The permissions system on Android is WAY more granular. Permissions on iOS are more like these categories.

        I'm not saying this is good or bad, what I'm saying is that these stories are oversensationalizing the issue. If you're going to claim they have done something wrong, at least use correct information to say it is a bad decision instead of fear-mongering.

  • usaff22

    Really want the AP app and redesign!

  • Jason Bourne

    The app "Agent" added a new "Reroutes Outgoing Phone Calls" permission a few weeks ago... after the update, no mention of the phone rerouting. When I call Iran, I don't wanna get rerouted to Ghana. Come on!!

  • Argh

    Google has been catering to the retarded users with big and pretty and useless picture based interfaces for too long. Let's steal iOS users and piss off those who made Android big in the first place, sure.

  • aouniat

    Some apps request permissions that aren't used. I don't understand why. Anyway, CM11 does have a feature which notifies users in case an app is requesting to access location or stuff like that. It's disabled by default I guess.

  • Amarus Kh

    I've read about that on XDA earlier today:

    I think it's about time I start looking at XPrivacy and/or alternatives...

  • Zargh

    "However, it also includes more powerful features like drawing on top of other apps, read and write to web bookmarks"

    Web bookmarks is in "Device & App History".

    I think the problem with the "secretly adding permissions within a group" argument is that its not really secret if the user was prompted with and agreed to the worst case scenario.

    If you give permission to the "Contacts/Calendar" permission group, but the app is only *really* using Contacts, but then begins writing to the Calendar in an update, can you really call it a breach?

    The iconography and the way permissions groups are worded are a much closer match to the way people naturally think (Object orientated). The extra detail of the old system is helpful for power users, but was less secure overall for normal users as how can you heed a warning you don't even understand?

    What this really needs to be paired with his optional/runtime permissions, and they've been working that into AOSP piecemeal since 4.1:




    • Sir_Brizz

      Exactly right.

    • Bob

      If users can't be trusted to understand the full list of permissions, then how can they possibly be trusted to work out from the 'group' list what the worse case scenario is given that list of groups? They can't see the exhaustive list of possible permissions under the groups at install-time, only the ones that are requested. Unless they are referencing a complete list externally (i.e. not in play store) then they can't assess worst case scenario.

      (Note: I 100% agree with you that the solution is actually a combination of optional and runtime permissions)

      • kashtrey

        You don't necessarily need the worst case spelled out for you, when it says phone you automatically think "oh it can use all the features of the phone app (placing calls, receiving calls etc)." The wall of text was way too much and it wasn't ordered in any severity.

        But agreed, app specific permissions ala iOS would be good. Wasn't there a beta feature that allowed for granular permission control? I'd somewhat suspect that Google is allowing the front end (installation) to be less burdensome, (hopefully) adding runtime permissions, and putting that beta feature back into settings to adjust app specific features.

  • Smashley

    I went to find this "Twitter Soccer Edition" and noticed that the official Twitter app ("soccer" or otherwise) is currently MIA from the Play Store. Weird.

    • Smashley

      Aaaaand it's back. Nevermind :P

  • Toboe

    "Reroute Outgoing Phone Calls"
    Not gonna make a NSA joke... Not gonna make a NSA joke...

  • rp142

    The most effective way to complain? Maybe, rate every app you download or have already download 1 star, with a simple message along the lines of "Hidden permissions.". No fair on devs at all but it helps to get them on side. It is no surprise that Google isn't on the side of user privacy and security when there own apps are intended to mine their users...

    • Imparus

      That is a terrible advise, why the hell not recommend user to send a complain mail to Google instead? And you are also lying since you can see the permissions, there are a detailed list at the end of the description of the app in the play app.

  • https://play.google.com/store/apps/developer?id=iWizard Bikram Agarwal

    "Installing or updating apps using an apk on the device (or another app store) will still display the standard permissions screen, which displays the full list without modifications."

    You just gave Google an idea. Simplified app permissions during apk sideloading in Android 4.5 / 5.0.

    Don't think that can happen? In 4.4.2, they removed showing app version during apk sideloading. Before that, it used to show "current installed" version number and "being installed" version number.

  • http://www.bordersweather.co.uk/ Andy J

    I prefer to believe it is an error in the new Play Store that Google have missed, and it SHOULD be telling users about ALL new permissions that are being requested. Lets face it - it's not the first time they have made a right bollocks up of a an update.

    • Imparus

      Not really, this is how they intended it. An example would be giving access to the calender, when you do that you accept a group called calender and contacts, so they inform you of the worst case, so if the app suddenly start to use contacts you would already have thought it did that before, because that was what the group said it might be using.

  • http://www.gundamaustralia.com/ cameron charles

    besides the fact it relax's the security aspect of permissions, which is bad, this really wont change much besides giving us a far better looking UI, theres 3 basic types of people out there, the power users who will know everything about the app before hand anyway or have 7 different root apps to fence it in, the complete opposite idiot user who wont read a dam thing and just blindly install all the things and then the one in the middle who for a flash light app will question its need for the "phone" category and look into it more, even if that just involves tapping the arrow there for more info.

    Theres no real need to spell it out every single time (in an ugly fashion), and there is certainly no reason to have the app ask my permission to access things on a per permission basis during runtime ala iOS as a few people are saying, just make it so it asks you to confirm the changes even within a category and it will be fine, you can do that right AP? you control these things, haha.

  • Matthew Fry

    Personally, I don't look at the permissions unless I see AP commenters or reviewers calling them into question. I appreciate everyone else being on the ball so I don't have to be.

  • http://www.LOVEanon.org/ Michael Oghia (Ogie)

    What's the secret!?

  • Tiuri Elvander

    @cody If users don't care displaying the more detailed permission wouldn't make a difference, they'd accept them anyway.
    When the orignal apk of this version of the play store was posted, I already complained that it no longer displayed which permissions were new when updating an app.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Just because a majority of users ignore permissions, it doesn't mean everybody does. For example, most of the AP writers install a few apps each week, and many of them come from brand new companies or indie developers. Clearly, we've got a reason to be a bit more watchful. The same is (or should be) true of people that work in a field where any reasonably sensitive information could land on their phone or tablet.

      • Tiuri Elvander

        What I meant was that Google should continue displaying and highlighting new permissions so people like you and me can check what we permit before installing/updating. This step would not bother the majority, to them it makes no difference whether they accept detailed or simplified permissions. As I said, they'd accept them anyway. However, those who want, could still check the detailed and new permissions and then decide whether to continue.

  • Onyxbits

    And that's why I'm currently working on Raccoon - A desktop client for Google Play with privacy and control in mind.

  • Björn Lundén

    The issue with the Superuser permission is that the dialog used to show the name of the permission too. Now it only shows the description so you miss out on the very important "Superuser" title.

  • jammer

    All I can say is: "Cyanogenmod Privacy Guard"

  • Privacy Not Dead

    You didn't mention the most serious problem, a potentially harmful permission such as INTERNET (full network access) is simply hidden from the users!
    Google states that we do not need to know that the apps already accessing our contacts can also send them to the Internet.
    Maybe it's time to drop Google Play and to use Safe Play instead.