Android's permissions are better than ever but still need a lot of work

News
By Jerry Hildenbrand
published

Android 11 Beta Permissions Page
Android 11 Beta Permissions Page (Image credit: Joe Maring / Android Central)

A smartphone needs to do more than send texts and make calls. That's the whole premise behind the term smart — an ability to do more than basic features. Android phones can do almost anything, and that makes them a very powerful tool for all of us.

But being able to do so much means that rules need to be set, or everything will quickly become chaos. We want our phones to do something, so we install an application that can do it, and that application runs using the platform that is Android. Android has to decide how, when, and sometimes even why an application can do its job.

There need to be some rules, but those rules need to evolve along with the rest.

One of the ways this is handled is through Android's app permissions. Applications that want or need to perform a specific action can't do so unless permission is granted. Now, I'm a firm believer that we should be able to grant any app any permission we like and likewise refuse any app when it asks for any specific permission. We bought the phone, and it's our data that is being accessed and acted upon.

Android has slowly moved to a model that sort of works this way. Since Android 6, apps have been able to use more granular permissions that we can choose to grant or deny whenever we run them. That's great, but not every permission problem has been solved yet. Permissions are still lumped together in many ways and untangling this really needs to become a focus as Android evolves.

Permissions are still lumped together, and real granular control is nowhere to be seen.

If I want to let an app share a photo or anything else, there is no reason why I should have to grant that app permission to read my contacts. This is a simple example that says everything about what's wrong with Android permissions. Companies that make Android apps get blasted every day because they have very broad and seemingly unnecessary permission requests, but often it's not the app that needs to be blasted.

A good example of this is DJI's Go 4 app. DJI builds drones that allow you to use your phone as a controller. Security researchers recently had some concerns about the app and published a list of issues that could potentially be used to leak our personal data. Some of the concerns are bugs or practices that deserve questioning. However, one specific concern is how social sharing through SDKs (Software Development Kits) from platforms like Facebook, Twitter, or Instagram means the app needs access to all of our photos, all of our contacts, our location, our SD cards, and our camera and microphone.

DJI Mavic Mini deployed

Source: Hayato Huseman / Android Central (Image credit: Source: Hayato Huseman / Android Central)

That level of access is crazy, and I side with the security researchers here and say that you should investigate any app that wants all of those permissions. But I also know that if you want to control your drone with your phone and then have it share a real-time video during its flight, you're going to need all of those permissions because that's how Android currently works. Part of the blame goes to the companies writing the actual SDK, but those companies need to create a one-size-fits-all product, and that means following Android's way of lumping everything together.

Companies get caught in the crossfire and are blamed for things they can't control.

DJI did respond to these objections and explained that this is how something like the Facebook SDK works. The company also did a great job explaining all of the issues and if you're interested you should read the response. While I don't agree with some of what's happening in the DJI Go 4 app, I do appreciate the well-thought-out reply.

However, this doesn't address the elephant in the room, which is — why does it work this way? The answer is because Android still lumps way too many things together when it comes to sharing data, both internally and externally. To share a photo through an SMS app, you need to grant permission for an app to see and read your text messages, see your photo library, see your contacts, control your camera, and more. You can't simply choose one photo and send it to one person because the app needs to check your contacts when you search for one, and then it needs to access the photo itself and inject it into your texting app and so on and so on. It's super complicated.

Google is working on fixing the mess, but it's slow going.

Google is addressing the biggest problem by forcing new apps and app updates to slowly shift to targeting newer versions of Android to be accepted to Google Play. This helps because writing an app that targets an older version means it doesn't have any sort of granular permissions, and instead, you accept them all when you install it. This still won't let you share a photo without granting access to all of your contacts, but it does remind you that you're doing so when you first try it.

I know this isn't an easy thing to do; it took more than 10 versions of Android before we were able to allow an app to write to an SD card without giving it permission to read everything on it. I also know that developers don't like seeing changes when it comes to permissions because that means more work to create or update an app. Still, there has to be a way to reach a point where I don't have to share all of my photos with a company that makes drones when I live-stream a flight.

Jerry Hildenbrand
Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.