18 Aug 2016

Android Should Prioritise Privacy over Backward-compatibility

Android Marshmallow introduced iOS-like runtime permissions. You don't get a permission prompt when you install your app; only when the app tries to access private data. And you can go to settings and toggle any permission if you've changed your mind.

This has many advantages: you can use apps even if you don't want to grant them all the permissions they want. Users are prompted in the context. For example, if you want to share a document with someone, being asking for contacts access at that point is natural and makes it more likely for you to grant access. Users who don't use a feature that requires a permission are never bothered about that permission. And so on [1].

Unfortunately, not enough apps have been updated to take advantage of this new system. Those apps are still granted all permissions they ask for at the time of installation. But, as a concession, you can go to settings and toggle any permission off. The only change between old and new apps is the default — new apps have all permissions off until you turn them on, while old apps have all permissions on until you turn them off.

But, when I tried to turn permission off, I got this prompt:

warn

Google should remove turn this prompt. Just deny permission. If the user wants to turn off a permission, don't discourage them. If an app breaks because the developer couldn't care to do the right thing for their users even 10 months after Marshmallow phones launched, let their app break. Users' privacy is more important than backward-compabitility with lazy developers.

Not only should users not be discouraged when they try to deny permission, all permissions should default to off, even for old apps. Show a prompt on first access, and only then grant permission. And if the app was in the background when the first access was made, silently deny it.

Users' privacy is more important than catering to developers who are lazy and can't be bothered to update their apps in their users' best interests.

As another example, Android apps often ask for access to the SD card to store their data. But, starting from Lollipop, Android apps automatically have access to a private folder on the SD card to store their data in. Apps no longer need to be able to read all your sensitive information on the entire SD card. Android offers developers a backward-compatible solution: when running Lollipop or above, an app can store data in its private folder, without a prompt. And when running on KitKat or earlier, users get a prompt as before. But many developers haven't bothered to adopt this — many apps still request access to the entire SD card.

It has been 21 months since Lollipop phones came out. Google should start rejecting apps from the Play store that ask for access to the entire SD card (on devices running Lollipop or above) when they need only a private directory for their data. And maybe remove existing apps from the store that haven't been updated, after a one-quarter notice. Or silently deny permission at runtime. Let the app break and accumulate one-star reviews. Any of these options safeguard users' privacy better than the status quo.

Google has so far relied only on developers to do the right thing, to safeguard their users' privacy. But many developers don't care. They don't bother to learn and follow best practices to safeguard their users's privacy. If carrots don't work, it's time to bring out the sticks.

Users' privacy is more important than backward-compatibility with lazy developers. Give them a one-quarter notice and then let their apps break.

[1] Android permissions are still not as good as iOS ones, in many ways: First, when you approve or deny a permission on Android, it can again prompt you. There's a "Never ask again" setting, which is pointless and shouldn't be there — just remember the answer and don't bug the user again. I sometimes feel that my decision isn't being respected and I'm being bugged again and again until I acquiesce. Second, iOS lets you limit location access in the background, while Android doesn't realise that background access to location is far more sensitive and dodgy. Third, iOS lets apps reduce the information they're asking for, like filtering contacts by some fields. If an app is accessing contacts to share a document with someone, perhaps it doesn't need phone numbers. And so on.

No comments:

Post a Comment