Story 2014-08-10 3SF Google Play hides app permission changes in automatic updates

Google Play hides app permission changes in automatic updates

by
Anonymous Coward
in google on (#3SF)
story imageGoogle has changed how new app permissions are applied when updating Google Play apps. Previously, automatically updated apps displayed explicit details and required user confirmation when a new version gained additional privileges. Google Play no longer displays the addition of new privileges if a user has previously accepted any other permission in the same category as the new permission. This makes it possible for an app to sneak in permission changes without the user realising making the Android platform less secure.
Reply 11 comments

Does anyone really read them? (Score: 2, Interesting)

by zenbi@pipedot.org on 2014-08-10 23:20 (#2SK)

After the first couple of app installs, I kind of lost interest with the huge list of requested permissions that go with every app. Since you can't selectively toggle the individual items to deny the app access (only to deny the app install completely) the list is kind of useless anyway.

If you trust the app, you install it, otherwise you don't install it. It's not like you aren't going to install the "Facebook" app if you don't fully agree with one of the bullet items on the permission list.

Re: Does anyone really read them? (Score: 1)

by harmless@pipedot.org on 2014-08-11 01:49 (#2SP)

If you trust the app, you install it, otherwise you don't install it.
And on what do you place your trust? I.e. how do you decide if you can trust an app or not?

Re: Does anyone really read them? (Score: 1)

by seriously@pipedot.org on 2014-08-11 08:08 (#3SG)

It's not like you aren't going to install the "Facebook" app if you don't fully agree with one of the bullet items on the permission list.
Actually that's the very reason I uninstalled the skype app a few months ago, it started asking for more and more permissions with every update. I think it currently asks for more permissions than any other apps (maybe short of facebook ? I don't have that app) and can read your emails, text messages, who you're calling (the normal way), what apps are running, it can even draw over other applications ... all of which are completely unnecessary for skyping. And it keeps running invisible in the background (i.e. it doesn't appear in the "running app list") even when you turn it off (and I know it did because popup with new messages kept showing up).

It looks as if it is trying to know more about you than Google itself ...

Anyway, I really wish vanilla Android would allow find tuning of the permissions. If I remember correctly, this ability was there at some point for a short period of time in 2013 and then quickly removed (found it: http://www.osnews.com/story/27469/Google_removes_vital_privacy_feature_from_Android).

Re: Does anyone really read them? (Score: 2, Interesting)

by lhsi@pipedot.org on 2014-08-11 10:45 (#3SM)

I didn't install the Facebook app on my new phone as I didn't like all of the permissions. I instead use Tinfoil For Facebook which is essentially a sand-boxed web browser for just Facebook. As an added bonus, I don't get notifications, and don't have it running in the background.

I haven't updated the LinkedIn app on my tablet for a long time after they added a permission I didn't want installed. I don't have it installed on my phone, so just don't use it. Their loss in my view *shrugs*.

Re: Does anyone really read them? (Score: 1)

by nightsky30@pipedot.org on 2014-08-11 11:12 (#3SP)

I still won't connect to or use Facebook on my tablet, but Tinfoil sounds interesting. I refuse to install any social media app. They're like glitter of the app world, and glitter is like herpes of the art world.

Re: Does anyone really read them? (Score: 0)

by Anonymous Coward on 2014-08-11 11:20 (#3SQ)

Yes. I do. I pay attention to what permission changes an update has and do not update if the permissions are excessive. Same for installing new apps. Google saying that internet access in apps is, in my opinion, leaning towards Evil. Seriously, does a calculator need internet access? Really? Perhaps it is time for Google to bundle a firewall with Android. It is just like Windows 95 all over again.

xprivacy (Score: 1)

by axsdenied@pipedot.org on 2014-08-11 00:14 (#2SN)

I use xprivacy to have control about every permission.

Re: xprivacy (Score: 0)

by Anonymous Coward on 2014-08-11 02:39 (#2SQ)

I cannot root my phone due to warrenty.Android needs better permission control and root option by default.

Re: xprivacy (Score: 1, Interesting)

by Anonymous Coward on 2014-08-11 13:47 (#3SV)

Void your warrant. It's worth it. If you're on a contract you can generally get a new phone every year, and android contract phones are pretty cheap (I got a pretty decent one for $.01). I had problems with my phone a while back and took it into an AT&T store. The clerks didn't even care that it was rooted, they still helped me out. Not sure if it was just the store or if they don't actually care, but it worked either way. Even if they hadn't helped me, I still would have been happy to have rooted. So much more control.

Re: xprivacy (Score: 0)

by Anonymous Coward on 2014-08-11 14:27 (#3SX)

It's also possible to restore most devices so that it is difficult or impossible to tell that they have been rooted. I think the only reason they tell you it voids the warranty is to scare you off.

way off the mark (Score: 2, Interesting)

by zafiro17@pipedot.org on 2014-08-11 20:09 (#3T0)

Not sure what we need but it's got to be better than the status quo. I read all the privilege needs and usually can't imagine why simple apps need such broad permissions. I hedge my bets by using paid apps rather than free apps than need to advertise. But ultimately reputation as risk and a broad app market vie against network effects and peer pressure. But let's say I love whatsapp for communicating with friends and suddenly that app gets greedy with permissions? If I choose not to allow I'm also choosing not to continue using the app. Rapacious and scumbag developers know this.