Excessive mobile application permissions have long been a security and privacy concern, in particular for Android users who download apps for the platform from a number of sources, and not just from Google.
The most notorious case is likely Goldenshores Technologies LLC, which agreed to settle charges with the U.S. Federal Trade Commission that it deceived consumers who downloaded its Android flashlight application that requested an inordinate amount of permissions, including geolocation, which was shared with advertising networks.
Today at its annual I/O event, Google announced a new system coming to Android that brings the platform closer to Apple’s way of doing business. The system will enable users to download apps with zero permissions granted, and then during the course of normal usage, users will be prompted by the app if they want to extend any number of permissions.
During the I/O keynote in San Francisco kicking off the event, Google said it hopes the new system encourages developers to consider user privacy and security at the outset, and seek less data from the device, and consequently, the user. Under the new system, users will make a one-time decision whether to grant or deny the app the individual permission in question with the understanding that denying may limit the app’s features and functionality.
“Hopefully this helps users pay more attention and understand the security impact of any applications they install,” said Steve Manzuik, Director of Security Research at Duo Security.
Google has been slowly moving in this direction since introduction of Android 5.0, or Lollipop, which deployed kernel-level policy enforcement via SE Linux and turned on device encryption by default. Both moves helped curb the risk of excessive permissions by bringing application enforcement to the kernel.
Google’s first Android Security Report, released in April, put some hard numbers behind the effectiveness of other security measures in the OS, notably Verify Apps (the old Bouncer), and Safety Net. Both measures cut down on the number of potentially harmful apps users are allowed to download from Google Play. For example, as of the report’s publication, fewer than one percent of Android devices had a harmful app installed and 0.15 percent of devices that downloaded only from Google Play had a harmful app installed.
I/O image via Maurizio Pesce‘s Flickr photostream, Creative Commons