Wed Oct 6, 2010
Skype for Android was finally announced yesterday. I opened the Market app in my phone to have a look at the ratings, other users' comments and the permissions Skype asked for. I was greeted by this list:
- Your personal information: read contact data, write contact data.
- Your location: coarse (network-based) location.
- Network communication: full Internet access.
- Your accounts: act as an account authenticator, manage the accounts list, use the authentication credentials of an account.
- Storage: modify/delete SD card contents.
- Hardware controls: change your audio settings, record audio.
- Phone calls: read phone state and identity.
- System tools: modify global system settings, prevent phone from sleeping, retrieve running applications, write sync settings. Now, how can users, when presented with this list, make the right decision of installing or not installing the application? My point is, I don’t know how useful it is to make this question. From a legal point of view it’s obviously useful. You can blame the user for accepting. But from a practical point of view? How many users know why are all these permissions requested? I would say not many. Users get used to clicking install, no matter what is on that list.
Users could make a more informed decision if developers wrote a reason next to each permission, answering the question “why does your app need this permission?". But even in that case, how can users trust the explanation?. To me it feels like Skype is asking me “do you give me full access to your phone?”. Why does Skype want to know the list of running applications? My location? What is an account authenticator? What are the authentication credentials? Those are not obvious questions for most people. Not even for someone who has developed an Android application like me.
When users click install, they are basically saying “I trust you”. They are not saying “I understand these permissions and I know why you require them”, because they can’t know. Permissions can be used for legitimate purposes and for spying on users. How could we distinguish them? I can only think of one way: code review. This can happen by developing under the open source model, or by having a trusted company reviewing and certifying programs.
Something else I dislike in Android is the fact that applications have full access to the SD card. Last time I worked on this (beginning of 2010), applications could access the data of other applications, if the data is located on the SD card. If you use APP A to write a diary, and App A saves your data unencrypted on the SD card, APP B can read and upload your private thoughts to the Internet. I’m sure SD cards on Android phones are full of interesting files. Developers should be careful about the way data is stored. Databases for example can not be accessed by other programs by default. It would be great if Android provided a “private SD card space” for each application. I can imagine this being implemented in future versions.
A final thought: when we install software on a computer we are trusting with even less information to decide. We are not presented with a list of permissions to agree on. We just go ahead assuming it will behave well.