> > I agree that framing things in terms of explicit risks is a good idea, > but can we always say what they are? Letting an application know your IMEI > can certainly be used to "track you across applications" is one risk, but > an app could also use it for other nefarious uses. And there are reasons > where granting IMEI is legitimate. Trying to come up with the right > messages might be impossible. >
Yes, it's possible to miss a risk. However, a set of security experts will certainly be better at figuring out what the risks are than arbitrary end users, who are really quite terrible at it. And of course it is possible for it to be a legitimate request. The user should be able to figure out the legitimate reason because s/he has presumably clicked on a button or done something else to trigger the permission prompt. The security warning serves as a counterbalance to present the risks, which the user presumably may not be able to figure out on his/her own (otherwise we wouldn't need to show a warning at all). _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security