Tuesday, 3 June 2014

Play Store hides internet permissions: what was Google smoking?

The Google Play Store changed a bit last week. Not just the app, but the mobile website too. Some of these changes are good, some are incredibly stupid. Whoever is responsible for "simplifying" the app permissions should be forced to eat a dozen iPhones.

Play Store mobile website

Opening the Play Store in your mobile web browser used to be horrible. You'd get the desktop layout, an overload of crazy scripts slowed things down to a Nokia N95 on GPRS (that's the old mobile version of a dialup modem), and every tap would spawn a popup with most of the information out of sight beyond the edge of the screen.

But now the Play Store website has a real mobile version. It's still clumsy and slow, but at least you can see most of the information without scrolling your thumbs to pieces.

But why would anyone care about a mobile site if you've got the Play Store app on your Android already? There are two good reasons:

1) Sometimes the Play Store app spits out an inexplicable error with a cryptic number. Installing the app from the mobile website usually fixes things.
2) The website makes it easy to install or update apps on different Android phones and tablets, without having to open the Play Store app on each of your devices.

Some info in plain sight

When the Play Store app started to show whether an app had "in-app purchases," it did so where the app update date used to be. Wanted to find out when the app was updated? You had to expand the description and scroll all the way down to find out. Some app store descriptions are really long. Twenty testimonials followed by thirty competing app names and fifty spammy keywords means a lot of scrolling to get to the info you want.

The new Play Store puts version number, update date, app size, and a link to the app permissions together at the bottom of the screen without need to expand the entire app description. That makes it a lot easier to see if the update is really new, and not an old update that you skipped because it broke the app.

Permissions? Just bend over and spread 'em!

When you hit "install" or "update," the Play Store pops a list of app permissions in your face. If you know what's good for you, you read them. If you've traded your brain for a free McJunk Happy Meal, you click "I agree" on everything and pay the price.

Most people take the Happy Meal, and Google likes it that way.

The new simplified app permissions screen looks like a good idea at first glance. But when you try to expand the permissions you don't get the full list. Instead, you get a heavily dumbed down version that doesn't tell you anything useful.

For example, when you expand "Location" the extra info reads: "uses the device's location." Duh! Does it use network location, GPS, or both? When you expand "Identity" you get the similarly useless "uses one or more of: accounts on the device, profile data." What's that supposed to mean? Can an app with access to "profile data" read my phone number and email address, yes or no?

It gets worse! When you allow an app to auto-update, it used to ask you if you'd accept any new permissions. But not anymore. If the new permissions are in the same "permissions group" as a previously granted permission, Google assumes that you'll accept any new permission from that group. It won't even tell you about those new permissions. If an app was allowed to read your texts, an update can grab permission to send them too without your knowledge. If you allowed an app to get your rather course network location, a new permission that lets the app drain your battery to pinpoint you by GPS is granted automatically without notice. Yes, that's creepy indeed.

And the internet permission is missing!

Google believes you don't need to know about internet permissions

According to Google:

"These days, apps typically access the internet, so network communication permissions including the "full internet access" permission have been moved out of the primary permissions screen."

Whoever is responsible for that deserves a slow and painful death. Really.

When I install an app that can read my contacts list I definitely want to know if it has internet permission, because the combination of access to contacts and internet can bomb you and everyone in your contacts list with unstoppable spam.

When I install an app that encrypts my passwords and credit card number, I definitely don't want that app to have internet access.

There are plenty of other reasons why "network communication permissions" are the most important on the list. Any app that can go online should have that permission displayed in big bold type on top of the permissions list!

Of course Google doesn't want that. "These days, apps typically access the internet" indeed, and often for the sole purpose of downloading ads and sending data to Google Analytics. Collecting data for online advertising and throwing banner ads on your phone or tablet is the reason why Google made Android, so obviously they'd rather not have you wondering why an icon pack or a battery widget wants to go online. Just buy the Happy Meal. No need to ask questions, Big Google knows what's good for you.

You can still see whether an app grabs internet permissions or not, but now you have to scroll to the bottom of the Play Store listing, tap "view details" under the permissions header, and look for your reading glasses. The "full network access" permission is hidden in tiny small light grey print under the heading "Other," as if the most important permission of them all is not important at all.

Grab back the keys

The Android permissions system is a broken mess. If you don't want to say "OK Google" to anything but voice search, you have to wrestle the keys back into your own hands. Here's how:

XPrivacy, Android's most comprehensive permissions manager

AFWall+, the best firewall for Android

AdAway and other Android ad blockers

Why Google should make its own ad blocker
Addons Detector exposes spyware and adware

Stop Google, Facebook, and other Big Brothers from tracking everything you do on your Android

Dump the Happy Meal. Root your phones and tablets and pick your Android permissions à la carte.

tweet this reddit digg this StumbleUpon digg this digg this

1 comment:

  1. in Windows Phone--no app can read your call log or sms. In fact, no app can directly call without you saying yes. Sms they can compose but not send !