I never understood why the permissions are so generic. When I see what permissions apps require, I shiver. It would be much better if it just demanded the developers to describe what they need the permissions for. What would be even better is that I could choose to enable some permissions on a case-by-case basis. That way I'd feel more secure and less frightened.
Android has some big app security issues to address, and they just... seem to be moving in the opposite direction. I've seen this update and it simply doesn't make sense to me. It didn't make the permissions more clear, it made me more scared of what might be hiding underneath all that.
I don't remember ever stopping an app installation when I saw suspicious permissions—I just assumed they were used for something, and I guess that's what 90% of the people would do. It would make all of them more secure if they could choose a small "ask me every time" option next to permissions that don't seem quite right, but may be legit.
Or overhaul the whole API. It's really a mess at times. Not just security. I have a beef with the horrible ways to address ridiculous hardware and software fragmentation, right from the ways you specify design and looks to using API features not available everywhere, or falling back to reasonable defaults if there isn't a hardware component you need.
I haven't developed for iOS, but I imagine it's much better than Android as a platform to develop on.
I'm using xprivacy. It is a pain in the ass but does give me the functionality you mentioned. Root required. Asks with popup on requested permission. Tracks app permission request history. Fresh installed apps restricted by default. I paid for the pro/donation version which fetches community curated restriction lists. Honestly I don't know if its worth the bother but seems like the least I can do. I do get some comfort finding many apps I install actually use less permissions than they ask for at install.
you can choose to enable permissions on a case by case basis if you install XPrivacy. You can either enable/disable permissions upfront, or have XPrivacy prompt you as an application attempts to access various functionality.
The downside is it requires root, but it works very very well.
XPrivacy provides fake information for a several permissions, including location when an app is denied that permission. You can manually set or auto-randomize the fake information. People often ask me why I'm sending them Facebook messages from Pyongyang.
That's exactly what it does. It feeds the application with fake or no data. There's no other way to do it due to Android's (in my opinion fundamentally flawed) security model.
xprivacy provides graceful denial of permission by providing false (potentially randomized) information. For example, rather than deny internet permission it will trick an app into thinking the internet is disconnected. Instead of denying GPS access it will tell the app that you're in a user-defined or random location (based on your settings).
Developer-supplied descriptions don't help: If you're worried that an app might use its permissions inappropriately, you should also be worried that the developer will leave inappropriate uses out of whatever explanation they supply.
"Contacts required so we can highlight their names in incoming messages. [And spam them, but we're not telling you that...]"
Android has some big app security issues to address, and they just... seem to be moving in the opposite direction. I've seen this update and it simply doesn't make sense to me. It didn't make the permissions more clear, it made me more scared of what might be hiding underneath all that.
I don't remember ever stopping an app installation when I saw suspicious permissions—I just assumed they were used for something, and I guess that's what 90% of the people would do. It would make all of them more secure if they could choose a small "ask me every time" option next to permissions that don't seem quite right, but may be legit.
Or overhaul the whole API. It's really a mess at times. Not just security. I have a beef with the horrible ways to address ridiculous hardware and software fragmentation, right from the ways you specify design and looks to using API features not available everywhere, or falling back to reasonable defaults if there isn't a hardware component you need.
I haven't developed for iOS, but I imagine it's much better than Android as a platform to develop on.