Android’s permission system sets it apart from most other operating systems. Before installing an app, the user is shown a list of permissions that the app requires and the user can decide whether to install the app or not. Traditional desktop operating systems have not had a significant permissions system that amounted to more than file-level ownership, but mobile devices have a much more pressing need to control what can happen on the device. Allowing an app to access web resources, send text messages, control GPS chips, or interact with other apps has the potential to lead to a poor user experience or, worse, cost the user money. Of course, these are all things that the user might want an app to be able to do, so having a proper permissions system is vital in order to promote innovation while keeping the user safe.
There are two main ways to address the need to keep users safe: let the user see/control the permissions an app uses or control what the user can install. By letting the user see the permissions an app uses, you maximize the innovation that can happen because an app can do anything as long as the user allows it, but you create work for the user. That additional work for the user is particularly bad on a mobile device where interactions with the device are frequent and in short bursts, meaning that the user may just click on whatever “okay” button is on the screen to get the task done. By controlling what the user can install, you limit innovation because you have to be more strict about what users can install (what’s good for one user is not necessarily good for another, so you have to block it from both) but you make it easy for users to install apps.
Android’s Permissions System
Android takes the approach of putting the onus on the user in order to allow apps of all kinds. If I, as a user, want to install an app that is able to start just before I wake in order to sync the RSS feeds I care about, I can. If I want to install an app that can automatically upload every photo I take to a custom cloud storage solution as soon as I press the shutter button, I can. This is ideal in terms of giving apps the ability to do nearly anything, but it’s not so great in that it requires the user to approve features up front before using the app regardless of whether the manner in which the user actually uses the app would require all the permissions.
A more concrete example is what Path did. They uploaded users’ address books to their servers to look for friends. Android users could see that access to their contacts was required, but they could not see why. When would my friends’ details be accessed and how would they be used? What if I want to use the app without giving it access to my contacts?
A big step toward improving the Android permissions model is to allow optional permissions. There are some permissions that an app needs in order to be useful. For example, an email client without the internet permission is useless, so those required permissions would continue to work the way permissions work now. However, an email client could work without access to your contacts. It might be significantly less useful, but the primary function of the email client, sending and receiving emails, would be intact. This optional permission would be declared in the manifest but with required=”false” specified. When the app wished to use the permission, the system would pop up a dialog and the user could pick to deny, allow this time, or always allow. An app could also request a dialog that has the options to deny and always allow in order to support things like enabling vibration on notifications in a settings screen. The user clicks the box to cause new messages to vibrate the device and the app requests that permission, listening to whether deny or allow was clicked in order to update the check box.
By allowing some permissions to be required and some to be optional, you lower the barrier to entry for apps and you make the required permissions more meaningful to the user since most apps would only require a few permissions, so they’re much more likely to be looked over.
Just like how users can manage which apps they’ve made the defaults for given Intents, users could manage which apps they’ve given optional permissions to. Part of this might even be a list of apps by permission (e.g., which apps do I have installed that can send text messages?) and perhaps the ability to sort it by most recently used (e.g., which apps most recently used location services?). Ideally, the user never needs to manage the permissions, but Android has done a good job of supporting users who want to get into the “guts” of their devices as well as more typical users and should continue to do so. Transparency is vital when dealing with permissions.
Optional permissions are not the perfect solution, but they’re better than current solutions implemented in Android and elsewhere. They retain the ideology of letting the user control how he or she uses the device, while avoiding the problems of an arduous approval process.