Update: Unfortunately some of the /r/Android and /r/Technology readers don’t seem to be making it past the title. Rather than repeatedly telling me why Paypal might occasionally need access to my camera, perhaps consider why I need to give it permanent access. And why do I have to give something access for features I don’t use. This —as you’ll see if you keep reading— can be solved by both Paypal and Google.
It’s easy to overlook app permissions. After all, you want something, and if there’s no tangible sacrifice attached to it, people don’t see the problem.
I do. I look after a few servers; security is something that’s always in or around my consciousness. The prime tenet of data security is to only give access to things that need it, ideally only when they need it.
The Paypal app can, as it turns out, do a raft of things that include your peripheral hardware. Like magnetic stripe readers, scanning credit cards and OCRing cheques. I’ve still no idea why it needs SMS/MMS, calendar, location and app inspection access… So answers on a postcard.
That isn’t really the point. My first problem comes in that Paypal are normalising applications doing a permission land-grab at install time. Something that was installed to let me do lightweight management of my account (and get notifications) has mutated into this beast that wants permanent access to my physical life.
Now, you can probably trust Paypal; they’ve only been shown to be moderately evil in the past… But who is to say that will always be true. They could decide to monetise this access. Or they could get hacked. Or another app could manipulate it to escalate its own privileges. In any case the result is the same: it can track you, it can watch you, it can hear you and it can smuggle data off your phone without you ever realising. You’re installing the perfect tracking, wiretapping bug.
There is an argument that Android should be marshalling access to privileges better but before I get there, Paypal could and should be more considerate about what they’re asking users to hand over. They could easily split the application out into plugins and distribute those in separate packages with their own privileges. It would leave the core application svelte, concentrated on core functionality, allowing cranky old users like me their simple, secure access and giving coffee-shop-hopping Alice and Bob all the naff features they want to trade for their privacy.
But the biggest issue — as comments are highlighting— is how Android allows developers to request permissions. It all has to be done at install-time and it all or nothing. If the user won’t accept it, they can’t install or update. They have to uninstall or ignore the updates… Which is obviously another massive security issue.
If an iOS app wants to use the camera, you’re asked when it wants to use the camera. That might seem like Vista’s UAC all over again, but that’s the call here… And I think Apple are on the better side. Android needs to start thinking about permissions in an interactive sense.
Back to Paypal. Given I only use the Paypal app to manage my Paypal account, I decided to uninstall it.
There has been a great discussion following this on Hacker News. I particularly like some of the interface suggestions on how this could work without being annoying. Google could learn something from this dialogue.
About Oli: I’m a Django and Python programmer, occasional designer, Ubuntu member, Ask Ubuntu moderator and technical blogger. I occasionally like to rant about subjects I should probably learn more about but I usually mean well.