The Broken Permissions Model in Android Apps as Illustrated by Facebook

A couple days ago I was informed that the Facebook app on my Samsung Galaxy S3 wanted to update. But it needed me to agree to some additional permissions for the app. I clicked the button to see what they were and was greeted with this:

Image

I was more than a little surprised by the things that Facebook expected me to agree to let them have access to on my phone. Let’s be honest, that’s a pretty invasive list of things that I’m being asked to agree to allow and trust that Facebook will do no harm.

So I decided not to upgrade.

Here’s the thing, though. While I was originally angry with Facebook (I still am to some degree), I realized that Google is to blame here as well. They’ve developed this “all or nothing” permissions model. It’d clearly be more friendly to the user if every one of those permissions had an associated checkbox. That would allow me to choose the things which are reasonable and uncheck those that are not. The price, of course, is that I wouldn’t get the application’s full feature set. But maybe I don’t need or want all those features anyway.

I just want to post cat pictures and stuff. Let’s leave my SMS messages and wireless network connections out of it, OK?

This “take it or leave it” system really doesn’t allow for that use case.

I’d remove the app entirely, but I do use the 2-factor authentication codes that it generates. So I’d need to find an alternative way of getting those.

If this was a desktop app, I could at least run it inside a Virtual Machine and manage what it has access to. Maybe we should expect next generation phones, as they’re going to be more and more powerful, to offer similar virtualization? Seems like the wrong solution to me, but I wouldn’t be at all surprised to see it.

About Jeremy Zawodny

I'm a software engineer and pilot. I work at craigslist by day, hacking on various bits of back-end software and data systems. As a pilot, I fly Glastar N97BM and high performance gliders in the northern California and Nevada area. I'm also the original author of "High Performance MySQL" published by O'Reilly Media. I still speak at conferences and user groups on occasion.
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to The Broken Permissions Model in Android Apps as Illustrated by Facebook

  1. Royce Williams says:

    Undocumented back-end access to fine-grained control of all permissions on a per-app basis (accessed by a widget called App Ops) was pulled by Google in December (which got the EFF’s attention.) It restored using discoverable methods (usually requiring root). It is also available in CyanogenMod.

  2. adamwulf says:

    Completely agree about it being Google’s fault here, but I’m also disappointed in Facebook’s lack of restraint in asking for so much data.

    I have an iPhone, but I deleted Facebook off my phone as well, and have Facebook SMS me for the two factor auth instead of generating it on my phone.

  3. Interestingly, it’s partially because of the virtualization model that Android uses that apps have to ask for these permissions. It’s modified Linux under the hood, and each app runs as its own user, and has access only to its own “home” directory. Permissions for things like network access, SMS, location, etc are controlled by Linux group permissions. This is only checked/assigned at install time. They’d have to come up with a way for apps to dynamically request and be granted group permissions, which is conceivable, at least to my limited understanding. It would take work, but it seems like it could be done

    As an aside, this is what makes me nervous about “rooting” and jail breaking. You’re literally giving apps root access to do whatever they want on your phone, including completely bypassing these permissions/restrictions. *shudder*

  4. Roger says:

    Blackberry did a good job of this. You were shown the permissions and could set them to ok, ask each time, and denied. They were also grouped so you could permissions for the group instead of each separate one.

  5. bcs says:

    The price, of course, is that the app then needs to be able to not crash when it’s denied access to some resources. Given the general state of error handling in software (not just mobile apps) the likely result is that there would be no practical difference for >90% of apps because the user would get the choice between granting the app everything it asks for or having it crash randomly.

    The best solution I can think of is some sort of automated testing infrastructure “Upload your app here and we’ll test it on the top 50 hand sets and with a matrix of denied permissions (sorry, no option to turn that last bit off).”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s