5 Jan 2014

Ten Ways in Which the iOS permission system is far superior to Android’s

(Disclosure: I work for Google. And, I rarely write top ten lists, but this post naturally lent itself to that format.)

Having switched recently from Android to iPhone, I find the iOS permissions UI to be far better.

To begin with, Android apps declare their permissions in opaque terms like “access phone state”. That sounds innocuous, but if you read the fine print, you’ll be unpleasantly surprised to know that that means accessing your phone number. Hardly any of the apps that access my phone number have any business doing so [1]. So, that’s the first problem: the permissions are couched in opaque terms.

Second, the permissions UI doesn’t adequately differentiate between permissions that pose a serious privacy risk and more innocuous ones: they’re all in a single list, so it’s easy to miss the risky stuff. iOS, by contrast, prompts you separately for each of the sensitive permissions, like location, contacts, etc. It’s hard to miss that you’re granting access to contacts when you get an alert asking you whether you want to let an app access your contacts. This stuff is sensitive enough that a separate prompt for each piece of sensitive information (location, contacts, etc) is the right way to go. You want to separately think about each thing you’re approving before you approve it.

Third, the iOS prompts are more abrupt and show up at unpredictable times (when the app accesses your location or contacts or whatever), whereas the Android prompt always shows up at predictable time — immediately after you press Install in the Play Store. This makes it easy to click OK hurriedly without reading through the permissions. If you’re not careful, it just becomes another, bureaucratic step in the installation process. This is just a principle of UX design: if something happens in a predictable time, users may take it for granted and not pay attention. For example, I’m not surprised when my iPhone beeps when I plug it in to charge, because I expect that. Whereas if it beeped at a random time, I’d pay attention. And attention is exactly what you want before granting access to sensitive personal information.

Fourth, since iOS prompts occur only when the app accesses the relevant personal information, it’s easy to figure out why the app is accessing it. Instapaper, for example, has an automatic night mode — it darkens the UI at night, to make it more comfortable on your eyes. Only if you enable this feature does the app access your location (to determine when it’s night). This makes it more trustworthy — I know why the app wants to access my location, and it increases my trust in the app. Whereas if I was installing Instapaper on Android and it asked to access my location before I was acquainted with the app, my reaction would be “WTF? This sounds like an untrustworthy app / developer.” As in real life, you don’t trust strangers. Trust requires you know who or what you’re trusting, and it’s incremental. When you’re installing the app is the WORST time to ask for trust. It’s like a stranger asking to borrow money from you.

Fifth, the iOS prompts give the app a chance to explain why it’s asking for your personal information. Accessing personal information is always a tradeoff — you give the app your information, and you hopefully get something useful in return. Knowing only one side of the coin doesn’t let you make an informed decision. In fact, it forces you into a bad decision, one way or the other: if you provide access, you risk having your privacy violated. And if you don’t, maybe the app has a genuine use of that information, but you don’t get the chance to find out because Android doesn’t let you install the app when you deny permission. Yes, the app can use your information for something other than it claimed, but that’s always true, and hard to combat. But not letting the app explain itself penalizes honest apps from asking for things you’d grant if only you knew what it’s for. Again, this is how trust works in real life: if a friend asks to borrow a large amount of money, they’d first say why they’re asking. And it makes all the difference whether they need the money to treat their mother’s cancer or vacation in Paris. Yes, someone can claim their mom has cancer and then go on a vacation with the money, but that’s always a risk you can’t eliminate.

Sixth, the permission system seems to be rigid and bundles together sensitive stuff with stuff that’s not. For example, VLC wanted to access my “phone state and identity”, which includes my phone number. When I asked them why they need this permission, they said they wanted to automatically pause playback if a call comes in. But because of the rigid permission system, they are forced to ask for access to my phone number as well, which I don’t want to give them and which they don’t want access to. They hopefully aren’t actually accessing my phone number, but who knows? What if there’s a bug in VLC? Or a poor design decision? Or, in general, an untrustworthy developer?

Seventh, iOS has a Privacy screen in the Settings app [2] where it shows you what apps accessed your location, contacts, photos, microphone, etc. And you can turn off or on each app’s access to each permission, say, preventing Facebook from accessing your microphone, while continuing to let other apps access your microphone, and continuing to let Facebook access other permissions, like your contacts (should you choose). This screen has room for improvement [3], but the fact that it’s there makes the permissions system far more transparent and controllable to the user than Android, which has only a screen for Location, and doesn’t let you turn anything off (you can merely see what apps have helped themselves to your location). Android just asks you once during installation, and after that, gives you little visibility or control into what’s going on. This is a bad design. Trust is not a one-time decision, like deciding to reboot your computer. Rather, once granted, people evaluate how the other party has behaved after the fact, and use that information to decide whether to trust that party more, or less, or even cut off all dealings with them. A system designed for humans should similarly give you visibility into decisions you’ve already taken, and a chance to change your mind.

Eighth, I found myself uninstalling a lot of Android apps, including Twitter, Facebook, apps for both my banks, a remote control app for my DVR, and so forth, because they demanded access to too much personal information. Needless to say, a phone or tablet on which you can’t use the apps you want to use is not as useful.

Ninth, on Android, I often find that I’ve granted too much access, and uninstall apps after the fact. Whereas the clear prompts on iOS mean that I haven’t granted those apps access in the first place.

Tenth, Android’s support for full multitasking means that if you accidentally ended up installing an app that accesses something it has no business accessing, it can access that information even when you’re not using that app. Even if you haven’t used it in months. Apps can, for example, track your location or periodically go through your contacts, etc.

On the whole, privacy is one aspect where iOS is far, far ahead of Android.

[1] If an app wants to track me, the OS should give out an autogenerated unique ID (not my phone number). And this should be different for each app, so that the information can’t be correlated to track me, as happens on the web. iOS does this right.

[2] The iOS Settings app is in general still a train wreck, and I never know where to look to find a particular setting, compared to Android’s Settings app, which logically groups the settings into intuitive categories. But in the context of this post, Privacy is a top-level setting in the iOS Settings app, which makes it easy to find. Android, to its credit, does have a top-level Location setting in its Settings app, so it’s no worse than iOS to find the setting. The limitation is just that once you find it, you can do little on that page, as I described above.

[3] The page should also show when the app accessed a permission, like location (“yesterday, 5PM”) and what information was given to the app in response to your request (“Facebook was told that your location was Koramangala, Bangalore, at 5PM yesterday.”) Besides, the Privacy screen groups apps by the permission type. It’s also useful to be able to see everything an app accessed, if you’re investigating what a particular app has been up to.

No comments:

Post a Comment