Google's initiative to put privacy and security back into the hands of users through a revised permission system has received generally positive responses. It's no secret that this approach closely matches the way iOS prompts users for access to things like the contacts or location. Aside from the possibility that permission requests could become annoying with too much frequency, this has proven to be a pretty effective approach. However, since the announcement, one sticking point seems to have emerged around access to the Internet. As it turns out, users will never be asked to grant access to the outside world, and it's not even possible to revoke it, even if they wanted to.

The question was brought up in the session on Android M Permissions at Google I/O 2015, during the Q&A portion of the talk. An attendee confirmed that there was no permission group for Internet, and went on to ask if absolutely any app could have access to the Internet. The session speaker, Ben Poiesz, gave affirmative responses to both questions and explained that the logic for this decision was based around the idea that if all of a user's data is protected by default, there's very little reason to be concerned that an app can communicate with the outside world.

The video below is cued up to this specific exchange.

The Facts

Before anybody jumps to conclusions, it's important to understand exactly what is going on. The brief discussion shown in the video is potentially vague, depending on interpretation, it might seem like there are some discrepancies. Let's get those cleared up right away.

Screenshot_20150605-164541To begin with, we need to know what's new. Android M introduces a system that bundles existing permissions into groups. When an application runs on M (and supports the new system), it must issue a request to the operating system for a specific permission, at which point, users are prompted to allow access to whatever group contains that permission. The current list of groups includes: Calendar, Camera, Contacts, Location, Microphone, Phone, Sensors, and SMS.

As for the specific android.permission.INTERNET permission, it is still mandatory for apps that will access the Internet. If a developer were to publish an app without defining it in the Android manifest, an exception will be thrown the first time a connection attempt is made, and the app will possibly crash. This is no different than before.

The heart of the issue is that the Internet permission doesn't belong to any of the aforementioned groups, meaning users will never be prompted to grant access to it for individual apps. A look around in Settings reveals that there's no method to actually revoke access to the Internet.

The developer documentation for the M preview sheds a little light on this by explaining that some permissions are automatically granted at install time and will never require authorization from the user. This is an allowance made for permissions with a 'normal' protection level. Here is the specific passage:

Limited Permissions Granted at Install Time: When the user installs or updates the app, the system grants the app all permissions that the app requests that fall under PROTECTION_NORMAL. For example, alarm clock and internet permissions fall under PROTECTION_NORMAL, so they are automatically granted at install time.

This seems fairly reasonable since most of the permissions worthy of interrupting a user's workflow are marked as 'dangerous.' The oddity here is that the Internet permission has always been classified as dangerous. At least, that has been true up through the latest release of Lollipop. The logical assertion must be that Internet will be officially downgraded for Android M.

Considerations

Google's logic is that if an app only has permission to use the Internet, it is inherently safe until it has permission to access other pieces of data. On the surface, this makes a lot of sense. Aside from an IP address and a few basic details about the device, there's really very little an app can get without a user's consent. It's not that there aren't some ways to exploit that information, but the opportunity to collect valuable and personally identifiable data just isn't there. At least, this is the simple explanation we have to go by.

What if we really need another permission?

A reasonable counter-argument presents itself when users want to open the gate on some information, but don't want to place trust in a developer not to send that data back to a server. For example, imagine an app that manages your address book. Access to the Contacts group is obviously necessary, but it would be much easier to trust this app if it were possible to revoke the Internet permission before turning over the names, numbers, and addresses of your friends.

While this seems like an obvious case for locking down connectivity, there is a catch. Android already provides a simple workaround for such restrictions with the Intent system. A developer need only launch a web browser and point it to a custom URL containing your private information.

Wouldn't it be annoying?

Almost every app seems to require access to the Internet for something. If setting up a phone or tablet meant hitting 'allow' for 40+ apps, it would become an insanely common occurrence. For those who used Windows Vista when it first launched, you must remember how awful the UAC (User Account Control) prompts were. Google's developers have made it clear that the new approach to permissions is a balancing act where they want the dialog to be shown to users only as often as is necessary, and never more often than that.

On the other hand, there might be space to allow a permission to be granted up-front, with an option to revoke it after installation. This would maintain the same basic flow while still allowing users more control over their data usage. But this introduces one huge problem...

Should users actually be able to cut off data?

Let's set aside the tired arguments about users getting confused and turning off data to important apps by mistake. Sure, it'll happen, but not regularly. We can be honest and call attention to the thing many people would actually use a revocable Internet permission to prevent: Ads.

...it's not even possible to revoke Internet access, even if we want to.

It's the truth. Internet access is necessary for downloading ads. An overwhelming number of free apps on the Play Store only rely on data so they can download and display advertising. Users may not like it, but ads support a hefty percentage of the apps available for Android. If everybody were allowed to flip a switch and shut off Internet access, ad-supported apps would lose their single method of monetization. It would destroy countless developers. In the process of blocking ads, users would also unknowingly disable other useful things like crash reporting and usage metrics that are important parts of improving apps.

Of course, many people might read this and assume Google kept the Internet permission perpetually enabled to protect its own interests. In reality, AdWords content can always travel through Play services, effectively making Google the single company that could always be immune to restrictions. Surely, this would have brought about tons of scrutiny, but it's worth noting that without this permission, all of Google's competitors remain on roughly equal footing.

Are there still ways to exploit Internet?

Just because an app can't get at your personal information, it doesn't mean that there aren't other ways to take advantage of a networked device. Without going into too much depth on this subject, it's not hard to imagine hackers that use a handful of compromised smartphones as their own private network of proxy servers. Taken to a more extreme side, a developer could create a botnet useful for attacking prime targets.

Of course, these are overly elaborate examples, and they were already possible before Google added an extra layer of security in Android M, so we shouldn't get too worked up over things that have not changed. If things like this are a serious concern, the questions should probably center around the judgement of users and how any significant group would come to download and keep these malicious apps.

Conclusion

The new Permission system in Android M isn't exactly solving all of the world's security problems, but it does offer new opportunities for a safer and more privacy-aware environment. There will be some growing pains, and we may still see some revisions to the way permission groups are organized and presented. It's clear just from the rest of the Q&A section of the above video that Google's engineers aren't even close to considering this system finished.

It's still possible that a method for revoking Internet permissions will arise in the future. A more desirable approach may center around setting soft limits or otherwise preventing excessive use. Of course, we're just looking at stock Android. If users feel that they need to be able to shut off connectivity for an app, many custom ROMs and mods will surely step up to fill that space. We've seen groups like Cyanogen bring back and extend App Ops, and it's likely we'll see the results of this in one form or another.