As Android privacy becomes increasingly under attack, maybe it is time to revisit an old idea - allow a user to (temporarily or permanently) remove permissions from an app. The UI doesn't have to be a mess, and the API interface is easily backward-compatible. (Add an API call to find out if a permission is revoked, and older API apps receive a reasonable, valid "no data" return on reads and either "temporary error" or "ok" on writes.) http://arstechnica.com/security/news/2010/09/some-android-apps-found-to-covertly-send-gps-data-to-advertisers.ars
"They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy." The proposal is simple, and it has come up before. http://code.google.com/p/android/issues/detail?id=10340 (looks quite well fleshed out, and not dramatically different from the other times it has been proposed) The idea is simple: take the more sensitive permissions, the ones users are likely to be concerned about, and allow them to be enabled/disabled on the fly by the user. Provide an api to allow apps to query their permissions status - they could then refuse to run, or run in a more limited mode, based on the permissions granted. Apps that haven't been updated simply receive the appropriate 'no data' or 'write succeeded' returns from their blocked calls. Perhaps this time google will respond to the technical aspects of the proposal. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
