"When the user installs or updates the app, the system grants the app all permissions that the app requests that fall under PROTECTION_NORMAL. For example, alarm clock and internet permissions fall under PROTECTION_NORMAL, so they are automatically granted at install time."
Based on the Android 5.1 source, there are a lot of permissions in the "normal" group, which will apparently now be accepted automatically at install time:
Application YourTypicalMobileApplication is asking for access to the Internet
to display advertisements powered by Google AdMob.
[ D̶E̶N̶Y̶ ] [ ALLOW ]
(Do you think we would give you the option to easily cut our income?)
That's what I meant. It covers a good ~95% of all ads. Have any extras register for security exemption. Makes sense to me - in the context of not screwing the user over constantly.
Can't agree more. It always bothers me all apps can access my external storage by default.
But I have to use Android, because it's the most open established mobile ecosystem. Only system that supports the mobile web browser I find tolerable to use for instance (hint - it's not the default browser or Chrome). Only system that allows developers to map executable pages. Only system that allows me to customize user experience as I see fit, and not offer one size fits all. And so on.
>As for Internet, they leave that out of their "improved" Play store permissions as well (and the M groupings seems like a carbon copy).
Why would they do that? On it's own "Internet" may not seem to be an important category, but I am willing to give apps many more permissions if I know that they can't phone home. For tools, the Internet permission is often the deciding factor for me.
A few years ago mobile virtualization was hyped a lot. What came of it? I'd love to be able to run multiple OS instances on same phone. Use one for private communication and others for fun and games (not that I play games, but the point).
Nowhere near the same but android does support multiple accounts - might be worth looking into whether they're sandboxed enough to stop apps looking beyond the account they're installed on.
I'd like to see a modified internet permission that permitted access to only a specific domain. Maybe along with a policy prohibiting or discouraging using the all-internet permission for anything that didn't clearly need it, like say a web browser. Say the Twitter app only has permission to access URLs under twitter.com, and accessing any other URL domain is a separate permission.
I'm not sure if Google would go for it, but I suppose it would encourage devs to use Play services for ads and analytics, since it wouldn't need any extra internet permissions, while using an external service for either would.
Google should silo those into separate categories to generic "internet access". Same with ad access. Sending data to pre-whitelisted, registered and trusted sites that register with Google in advance should be in a different category to "upload to random server in china".
>Isn't there an entry point on the OS/Google Play side that allows the dev to get crash reports?
There is, but there are multiple crash reporting services that provide more features than Google (and just having some competition in that area is pretty great).
In my company, we use Crashlytics on Android & iOS and Bugsense on wp.
Everyone with a pulse has asked themselves that already, and come up blank. All we have are potential conspiracy theories revolving around ad revenue for both Google and app devs.
- Read external storage
- Internet