Comments in line below On Apr 17, 2012, at 4:08 PM, Adrienne Porter Felt wrote:
> > > On Mon, Apr 16, 2012 at 7:42 PM, Jim Straus <jstr...@mozilla.com> wrote: > On Apr 16, 2012, at 10:24 AM, Adrienne Porter Felt wrote: > > > -- Changing the wallpaper or ringtone: Let all apps do it, but provide an > > "undo" mechanism in Settings that changes it back to what it was prior to > > that app altering it. > > Or have the API throw up a confirmation dialog. A wallpaper app can preview > wallpapers as much as it wants (even going full screen with the wallpaper > image). Then when the user asks to set their wallpaper , a system dialog > comes up with the wall paper and a confirmation dialog. Similarly for > ringtones. Thus these settings don't need permission control.s > > What do you mean by a confirmation dialog? I am imagining that you mean a > preview of what the phone will look like with the new wallpaper for a second, > followed by an OS dialog that says "Keep this new wallpaper/Revert". Is that > right? If so, I like that idea. I was actually thinking of a dialog with a shrunk version of the wallpaper and "Set wallpaper"/"Cancel". But either one works and is the same principal of the system mediating the setting and getting consent from the user. > > > -- Adding words to the dictionary: Only let apps do this if they are > > installed as IME apps; there should only be one IME app at a time. > > > Do you mean only one IME in use at a time or installed at a time? > > I mean in use at a time, mostly because I cannot imagine what it would mean > to have multiple IMEs operational at once. (If you have 2 keyboards > installed, some setting must control which one is shown to the user when a > keyboard is needed.) > Actually, I can see there being an IME selection button that allows for changing on the IME on the fly (for example, iOS has a special button that allows you to select which language to use if you have more than one language enabled), but that doesn't doesn't change the fact that only the current IME should be allowed to add words to the dictionary. > > -- Connecting or disconnecting from WiFi: Apps can connect to known > > networks, or disconnect from any network. If an app is connecting to a new > > network, ask the user with the standard OS prompt for connecting to new > > networks. The Settings WiFi control panel should have some small text that > > says what app last disconnected you from the network if the current state > > of the phone is disconnected. > > > I don't want arbitrary apps disconnecting my wifi. Doing so may interrupt > background processes and I may not notice it for a while. Why should any app > besides a Settings app need to muck with my networks? > > There are apps out there that try to save you battery life by disconnecting > WiFi when it doesn't seem needed. I personally wouldn't use one but they do > exist, so I see why it might be desirable to have that as a setting. > > Is there any motivation for an app to abuse the ability to disconnect WiFi? > I can see buggy applications screwing up (in which case you can look at > Settings and then uninstall them), but unlike the SMS API there is nothing to > gain by intentionally disconnecting WiFi against the user's will. Even if > there were some malware out there that did this as a way to annoy you, the > audit mechanism (showing who last disconnected WiFi) would let you fix the > problem by immediately identifying and uninstalling the annoying app. > Well, an app could disconnect your wifi so you fall back to cellular data where there may be real costs. I don't know how an app would take advantage of that, but it could lead to the user getting unexpectedly high bills. > > *Whenever I say "apps" in this e-mail I mean trusted/certified apps, not > > arbitrary web sites. > > Do you mean trusted, certified and granted permission to use the Settings API > or any trusted, certified app? > > Any trusted, certified app. I was saying that there should not be any single > way to grant permission to the Settings API as a whole, but rather the > privilege to use individual settings should be handled on a per-Settings > basis. (Controlling WiFi via Settings is very different from changing your > wallpaper, so I don't think it makes sense to grant an application access to > do both with a broad "Grant access to settings?" permission.) I agree. Personally, I would like to see the Settings app not be a single app but a collection of settings apps (maybe tagged as settings in their manifests.) This would allow for isolating the separate settings and also allowing the settings to be extended easily. But that is a different matter. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
