Re: [android-developers] Re: Is there a way to request permissions from a user as you need them?

Mon, 30 Aug 2010 00:12:11 -0700

Separating some code into a separate .apk doesn't really improve security, it's only a way for the user to adjust his/her "comfort level".
There is nothing preventing two separate .apks, one with "read contacts" and the other with "internet" permissions to do exactly the same as one malicious app, steal contact info. It might not be obvious to the user at all that the two apps are working together to do something bad. 


The only way this is meaningful is if the application to pick a contact 
is well known and trusted, which probably means it should be part of 
Android itself.



I believe what would help is finer-grained access permissions, splitting 
a broad "read contacts" into smaller-scope permissions, based on 
user-driven scenarios.



Perhaps it should be done with other permissions, such as "write 
external storage". There has not yet been a trojan that completely wipes 
the sdcard, but nothing preventing it from existing.


- Kostya

30.08.2010 9:55, Dianne Hackborn ?????:

On Sun, Aug 29, 2010 at 5:17 PM, Bob Kerns <r...@acm.org 
<mailto:r...@acm.org>> wrote:


    There is no reasonable way, that does not impose an unacceptable
    burden on users, to distribute an app that makes use of third party
    functionality like this that should live in its own .apk.



How is bump's functionality as a separate .apk an unacceptable burden? 
 It does mean the user would need to install a separate app if they 
want to use that functionality...  but it should be very easy for the 
original app to explain it needs this (when they want to use the 
functionality), clearly associates that functionality with the bump 
developer (who btw gets some nice branding there), and also allows 
bump to upgrade their client code without having to get all of their 
app authors to update each app.



--
Kostya Vasilyev -- WiFi Manager + pretty widget -- http://kmansoft.wordpress.com

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en




























					Reply via email to