Google said at the time that it removed the feature because its experimental nature could break apps, a statement that was greeted with skepticism.
The Electronic Frontier Foundation's Peter Eckersley wrote, "The fact that [Android users] can not turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through."
While calling the lack of a per-permission toggle a "Stygian hole" might be a bit dramatic, it's true that Android would benefit from a more nuanced approach to permission security.
"I think many consumers would love to use certain apps, but limit [those apps'] access to certain pieces of information," said Jeremy Linden, a security product manager at Lookout Mobile Security. "More granular access to permissions is a better take."
However, it's not going to happen. At least, not before Android 5 at the earliest, and possibly not before Android 6.
Permissions toggle breaks apps
Google would face two major problems if it had kept App Ops in KitKat. The first is that the company is probably right about how a per-permission toggle could prevent apps from functioning properly.
"Android developers have developed their apps with a certain paradigm: you either get all the permissions or you don't get the app," Linden explained. "So many apps developers have been building for either all or nothing, [the App Ops] functionality in its present state would break many apps."
Imagine you have a movie theater app that tells you what films are playing nearby. It wants to access your GPS, but you're only interested in its showtimes feature. If you disable the GPS permission, the failure of the location request might break the app.
Eventually, Linden explained, "the developer could code the app to gracefully fail, but the app ops feature didn't allow that."
Not being ready for "prime time" but allowing the feature to stand, he said, would result in Android users would get error messages they couldn't understand.
And that leads to Google's second problem when introducing App Ops, or something similar: its user base.
While Google isn't talking specific user numbers, there have been more than 1 billion Android device activations, and somewhere around 1.5 million new Android devices get activated every day. Google simply, and arguably, quite logically, doesn't want to risk introducing a feature that will break phones for new or old users.
"Google's covering for the casual user," said CyanogenMod's Abhisek Devkota, who heads up the custom ROM's moderation and community team.
CyanogenMod is the most popular third-party remix of Android, with more than 10 million users. That's not many compared to Android itself, but for an alternative version of Android with a complex installation process, 10 million is an impressive accomplishment.
And because they have fewer users to worry about, they can make changes to the Android code faster than Google can.
Permissions toggle comes easier to third parties
If the issue is important to you, you might be aware of the fact that CyanogenMod has implemented the exact feature that Google has just pulled. Why is CyanogenMod able to pull it off, when Google can't?
Part of the answer lies in the aforementioned user base. Google can't push out a new feature that would potentially break most if not all apps.
"Most users aren't comfortable knowing what all the permissions are that an app can handle," Devkota said.
CyanogenMod recently updated its Privacy Guard feature to include the App Ops functionality, but even then, Devkota noted that it blocks only a few kinds of permissions such as contact list access and location list access.
CyanogenMod circumvented the problem of having a disabled permission breaking an app by telling the user that a feature has been blocked with a persistent notification in the app. Still, there remains work to be done in CyanogenMod's implementation of the feature.
"In an ideal world, you could control app features on a per-app, per permission basis," Devkota said. "I don't think we've seen the end of it."
What Google must do to resurrect App Ops
Google left the App Ops framework in Android 4.4.2, an indication that the company is not sticking its head in the sand.
"Seeing it somewhere in the operating system means we're probably going to see it again at some point," said Devkota.
The feature is a major one, and its impact on developers shouldn't be underestimated. Given that, if and when the feature comes back, it'll probably be in the next major-point update to Android -- or the update after that.
"The vast majority of this is not a simple coding challenge. We are happy that Google choose to be conservative in this respect, as Android app developers," Linden said.
He estimated that only 5 percent of the work would be the effort to get the new permissioning model to function. The rest of the effort would have to be devoted to figuring out how to migrate older app to work with the new permissions scheme.
"It would be the largest change in modern Android history," he said.
No comments:
Post a Comment