The problem with Android permissions is too much information and not enough information all at once

Android dudes
Android dudes (Image credit: Jerry Hildenbrand / Android Central)

It's a regular happening in the tech press. An app has questionable permissions and people freak out about it. Sometimes it's warranted, but most of the time it's because the people freaking out don't understand the Android permission model or haven't taken the time to see what reasons an app might have to need those seemingly sketchy permissions. And it's Google's fault. Sorry, Google, we love you, but this is all yours.

There are two ways to handle letting the user (that's you and me) know what an app needs to do or needs to see in order to function. One way is to plainly state everything up front before that user installs it so they know exactly what can be done and seen. In other words, the Android way (mostly). Another way is to carefully screen each and every app and have the user trust your screening process and know that the app isn't doing anything out of the ordinary. This is the Apple way. Both are good in some ways and bad in some ways.

It's Serenity and crew's job at iMore to tackle iOS issues on this front if it needs tackling— they're more knowledgeable about them than I am — but we really need to talk about Android permissions here and why they need some attention from big G.

I'm going to pick on our own Android Central app here because I can look through the code or build it myself and know exactly what it does, what it can do, and why. Let's start with what makes people freak out because there is a good example right in the picture above — prevent device from sleeping.

Why in the hell does an app to read a blog need to keep your phone locked awake? I don't blame you at all if this is the first thing you think. In fact, I want it to be the first thing everyone thinks because we all need to be a little skeptical when it comes to software that we install on our phones. But our app has no intention of keeping your phone running all the time, and unless there's a bug somewhere it doesn't. We need that permission so that the screen doesn't shut off while you're reading this.

Tell us what those permissions mean and we'll freak out less.

There are two very big issues here that Google can fix. One is hard but the other is easy, Like delicious pie easy. The hard one is to continue building out the APIs until we have one that can only keep the screen on. Let background data and everything else sleep until it's used and keep the CPU idling unless it needs to ramp up for something else a user is doing. That's all we're using the prevent device from sleeping permission for anyway. If Google makes that API, we'll switch to it. Until then, we need permission to keep your whole phone up and running even when we're not doing anything in the background.

The second and easier thing that needs to be done is to give more information here. Once you decide that you're going to give the user all the info about which permissions an app needs, you need to go a step further when you list them. What we have right now is either too much information or not enough information.

I am a nerd. I don't even try to hide it. Plenty of the people reading this will also be nerds. What we see now on Google Play when permissions are shown was written by nerds for nerds. I understand it, my fellow nerds understand it, but a normal person who just wants to install a cool new app might not. Consider this:

  • Prevent your device from sleeping. This application needs to keep your phone from going into a sleep state. This can only happen while the app is running and shown on your screen and may not be processor intensive. If you have any questions you should ask the developer using the contact information at the bottom of the page.

That took me like 30 seconds to bang out on my keyboard. (And 20 more to fix the typos because I think I can type really fast without looking at my keyboard but I actually can't.) It's not the greatest explanation of what this permission might mean, but it's a metric shitload better that what we have now. The people at Google are way smarter about Android than I am (but I challenge any and all comers to test my knowledge on Dunmer lore) and could do this even better. If they did, it would help people who actually bother to read the permissions when they see Twitter melting about an app needing GPS data because it's a free ad-driven app that needs GPS to show you those "relevant" Target ads when you're in the Target parking lot.

The Android permission model needs to be refined and explained. And not by nerds.

This isn't a new problem. Since Android became popular people have seen too much information about needed permissions without enough information about those permissions and what they mean. Then they (rightfully) freak out about it. I enjoy those freakouts. I get to sit back and watch people actually care about mobile security and their precious personal data for a day or two. But the app developers surely aren't very happy when it happens to them, and they are the reason Android is as popular as it is.

So how 'bout it Google? Can you make a change to give us everything we need to know when we actually look at an app's permissions without going to the Android Developer site and reading a bunch of documentation about them? We'll love you more.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.