Separating some code into a separate .apk doesn't really improve
security, it's only a way for the user to adjust his/her "comfort level".
There is nothing preventing two separate .apks, one with "read contacts"
and the other with "internet" permissions to do exactly the same as one
malicious app, steal contact info. It might not be obvious to the user
at all that the two apps are working together to do something bad.
The only way this is meaningful is if the application to pick a contact
is well known and trusted, which probably means it should be part of
Android itself.
I believe what would help is finer-grained access permissions, splitting
a broad "read contacts" into smaller-scope permissions, based on
user-driven scenarios.
Perhaps it should be done with other permissions, such as "write
external storage". There has not yet been a trojan that completely wipes
the sdcard, but nothing preventing it from existing.
- Kostya
30.08.2010 9:55, Dianne Hackborn ?????:
On Sun, Aug 29, 2010 at 5:17 PM, Bob Kerns <r...@acm.org
<mailto:r...@acm.org>> wrote:
There is no reasonable way, that does not impose an unacceptable
burden on users, to distribute an app that makes use of third party
functionality like this that should live in its own .apk.
How is bump's functionality as a separate .apk an unacceptable burden?
It does mean the user would need to install a separate app if they
want to use that functionality... but it should be very easy for the
original app to explain it needs this (when they want to use the
functionality), clearly associates that functionality with the bump
developer (who btw gets some nice branding there), and also allows
bump to upgrade their client code without having to get all of their
app authors to update each app.
--
Kostya Vasilyev -- WiFi Manager + pretty widget -- http://kmansoft.wordpress.com
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en