CopperheadOS[1] has a good permission model (compared to stock Android). Notice that they had implemented a better permission model over Android's even in older Android versions which didn't have runtime granular permissions. It proves what the ad company Google itself could have implemented in stock Android had they not been an ad company.
CyanogenMod's Privacy Guard[2] - basically a proxy that sits between the apps and the ContentProviders, and provides user-configurable "fake data" - was another good approach. Not sure if its successor LineageOS has this feature working - a search shows user complaints that it doesn't work as expected - but I hope it has retained the feature.
I feel a distro that combines both approaches would have been best. Both approaches also prove that there was no technical impediment to implementing them in stock Android.
> It proves what the ad company Google itself could have done had they not been an ad company.
I think you make fair points, but I think this does not prove anything. CopperheadOS has a different user base than Android. A permission model that CopperheadOS users understand (e.g., CopperheadOS users are likely to be more technical) may not work for Android user base.
Their existence proves what was possible in stock Android. Why it didn't happen that way is open to speculation.
Personally, I feel it was because Google's main business did not, and does not, provide any incentives to design stronger permission and privacy models because it itself depends on collecting information about users.
Was usability also a factor? It may very well have been.
However, I disagree with a thinking that uses usability as an excuse to treat a user base numbering in the hundreds of millions as a homogeneous set who don't know anything, and who can't learn anything new.
People fall in a spectrum of capabilities, and more importantly, every individual is capable of moving around in that spectrum with time.
For example, a non-technical user who started out giving one app all permissions may realize their mistake when their email or phone number turn up in google searches, and become more careful with other apps.
Stock Android could have catered to that and standardized on a very granular runtime permissions as the default model. They already had existing ACL models like iOS / Windows policies / SELinux to copy from. They could have left the simplification to the market - the equipment manufacturers and users - to decide. But stock Android made it a binary all or nothing choice for a long time, and left it to equipment manufacturers to provide any additional protection, who of course didn't implement anything either because they too had no incentives to protect user information or standardize the security APIs.
Even now, Android's runtime permissions, while comparatively more granular, are not granular enough, and in practice become a binary choice where some apps refuse to work if a particular permission is not granted.
I have also noticed how Google in their PlayStore keep the permission information hidden away in an obscure location at the bottom of the page, and don't provide any way to filter apps by permissions. How do I search an app that lets me draw on images without asking for contact book information? Not possible without opening every app's page and checking their permissions. I usually try a bit, give up, and head back to gimp on desktop. Is it for better usability? Does better usability mean keeping users ignorant and uneducated? I think it's not a good approach, and based on anecdotes from my personal network, I also think it's a mistaken assumption.
It seems like it should be an obvious given that just installing an FB app on your phone shouldn't hand FB a record of all your phone calls and text messages. Which is what appears to have happened on Android and nowhere else. The sensible question really is 'wtf is wrong with Android' not 'who and how is somehow managing to do this better'.
Nobody asks about cars that don't come with a face stabbing device nor writes long comparative reviews about the best car to get if you prefer not to get stabbed in the face.
> It seems like it should be an obvious given that just installing an FB app on your phone shouldn't hand FB a record of all your phone calls and text messages.
Has it been established anywhere that this was not the case (i.e. that just installing the app uploaded all calls and text messages)?
Read the article and explain how they could have been worse!
For anyone with a basic appreciation of "honesty" or "ethical behaviour", it is fairly obvious that simple improvements would include:
Don't deceive the user about why the app is requesting permission.
Don't deceive the user about what you will do with the permissions.
Provide the user with an app that does what you say it does, for the purposes you say it is for.
Examples of platforms with a good model: in this context, it is well documented that Apple has been superior to Android.
iOS is pretty good. The onus for dealing with rejected permissions (in many cases) is put onto the app developer.
For example, if you make a photo editing app, you need to request access to the user's photo gallery at runtime of the app.
If they refuse, it's fully expected that your app will continue to work with reduced functionality. IIRC you will have trouble getting approved for the app store if your app breaks after permissions are refused.
Yes, "was broken" seems like a better description. Still, it's pretty bad it lasted as long as it did - Symbian S60 already had that model before Android was even a thing.
- What is the minimum amount of data sharing required?
- What happens when permission is denied? Does the app close?
- Do people even understand what is being shared?
- Are these click through "consent" screens really giving informed consent? Are they deceptive and biased to get users to give permission without really understanding what is going on? ("Text anyone in your phone" doesn't sound like "Continuously upload SMS and call history." Nor does a giant blue button versus no button, look like there's even an option to say no.)
- Why is this data even allowed to be shared?" (I understand that SMS and call data has neverbeen shareable on iOS.)
