My Android phone, running Ice Cream Sandwich 4.0.3 warns me every time an application I've already installed wants different (likely more) permissions on my device. Usually, this is followed by an inquisitive look, a deep sign, and a grumble about yet another application developer who's either ignorantly or purposefully over-stepping their bounds on my device. What happens next is both deplorable, and predictable.
After a brief moment of outrage that my social media app now requests the ability to read the contents of my address book... I resign myself and click "I accept". Before you condemn me for it, ask yourself how many times you've done that exact thing. You've gotten outraged that an app requires access to some part of your device you're not comfortable giving ... then without really seeing another way forward you resign yourself, and accept and grumble. Happens all day, every day ... hey at least we're paying attention enough to see the new permissions being asked for. Most mobile device users would just click "I accept" without bothering to read the permissions change because they have no idea what it means ... now that is the really scary part.
Actually ...come to think of it, at least Android tells you what permissions that super-critical business app (Angry Birds?) is going to be empowered with, my Apple iOS 4.x device doesn't even bother offering those details.
Just as a side note, have you ever read Android's permissions model manifest entry? Wow... just wow.
Earlier, before I wrote up this post, my pal Tomasz Miklas who's a security consultant out of the UK poted this on Twitter:
From his Mac computer, an application called Xcode was asking to access his contacts. By the way, from the Apple description page, this is what Xcode is described as:
"The Xcode developer tools package provides everything you need to create great applications for Mac, iPhone, and iPad."
Yup, seems perfectly legitimate for that applciation to be asking to access your contacts list ... wait, what?!
Queue the moral outrage!
Before everyone gets too crazed over this behavior by developers, let's remind ourselves why this happens, or rather, why it continues. I am 101% confident that I'm not alone when I say there are 3 reasons that developers are pulling these types of stunts - one of them is us. Allow me to explain.
- Developers simply don't know better - This has got to be the primary reason this sort of madness happens. This is also consequently the most benign reason, so I'll put this in the number 1 spot. Presented with the endless array of options to make their application just work right and not having the ability, or time, or debugging skills to understand how to do it right, the developer simply overshoots the required permissions. I dare you to tell me you've never seen this before anywhere else... think back to firewall troubleshooting when something critical was on the line. When an application didn't work "through the firewall" we went port by port for a while but then eventually gave up and opened every port, right? This behavior and outcome hasn't changed...and it likely won't in the near future.
- Users don't care - Actually, maybe more accurately, user's don't know they should care, so they don't. If users simply made a stand against applications which demand more permissions than logic dictates, and did not install those applications sloppy developers (or malicious ones?) wouldn't make the sales and may get the message. If an app that had good security and proper permissions sold better than one that was lax and loose with its security/permissions needs the developer may get the obvious hit... you think?
- Malicious intent - let's assume this isn't one we can do anything about ...at least not by refusing to install it :)
So again, why do developers keep overstepping their boundaries and asking for way, way too much permissions on your mobile devices? Because they can...and you're not going to do a **bleep** thing about it except complain on Twitter like Tomasz and I.