I think its going to be very difficult to prevent applications without network or sms permissions from leaking any data they can obtain to the outside world by means of another application that does have those permissions.
Its even possible for an application without network permissions to infrequently upload quite a bit of data via the default web browser. On install they can just send an intent to view a webpage containing something innocent like a welcome, help, or changelog web page for their app, while quietly shoving 100+ lines of whatever through extra post data for older android releases or extra header data for newer ones. Its not immediately apparent how one would detect this, unless it happens on wifi and you log http traffic or your mobile provider is inspecting packets. On Aug 29, 8:19 pm, Indicator Veritatis <mej1...@yahoo.com> wrote: > You rightly say, "should be taken down > from Market if it is discovered", but if that need exists, then what > will Google do to reassure users that somebody is watching for such > violations? A Service should not HAVE the ability of share that data > with other Applications unless they too have the same permission. So > this suggests a flaw in the design of Android permissions. > > On Aug 29, 12:11 pm, Dianne Hackborn <hack...@android.com> wrote: > > > > > On Sun, Aug 29, 2010 at 5:31 AM, Zsolt Vasvari <zvasv...@gmail.com> wrote: > > > On a somewhat related note, I decided I would try to integrate the > > > Bump functionality into my app -- some users asked for ways to > > > exchange transactions between phones in the family, and this seemed > > > pretty good. > > > > But then I opened the docs and here it what it says: > > > > Add > > > > <uses-permission > > > android:name="android.permission.ACCESS_FINE_LOCATION" /> > > > <uses-permission > > > android:name="android.permission.ACCESS_COARSE_LOCATION" /> > > > <uses-permission android:name="android.permission.INTERNET" /> > > > <uses-permission android:name="android.permission.VIBRATE" /> > > > <uses-permission android:name="android.permission.READ_PHONE_STATE" /> > > > > No freaking way I will pollute my permission requirements with that > > > stuff. If I saw a personal fianance app ask for those permissions, > > > I'd hit cancel so fast, it wouldn't know what happened. > > > > I don't know what the solution is, but this is just wrong. > > > This is a flaw in their design (and in the design of current ad servers as > > well). By having you link their code into your app, you are required to > > take responsibility for their permissions. Yet it is their code, you don't > > have control over it, so why should you? > > > A solution is for the other party's code to be in its own .apk, which your > > app uses if it is there. (And you can prompt the user, sending them to > > market, to make this functionality available.) This way the permissions are > > clearly separated between apps, and the user can associate them with the > > responsible parties and decide who they want to trust. > > > That said, there is an implicit responsibility of the app delivering > > functionality to other apps this way to not leak the permissions it is > > using. (As there is for every app.) An extreme example would be an app > > that use permission for GPS, and a service that lets others get the current > > location. That kind of thing is a security hole, and should be taken down > > from Market if it is discovered. > > > -- > > Dianne Hackborn > > Android framework engineer > > hack...@android.com > > > Note: please don't send private questions to me, as I don't have time to > > provide private support, and so won't reply to such e-mails. All such > > questions should be posted on public forums, where I and others can see and > > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
