[cap-talk] Android using capability discipline

๏̯͡๏ Jasvir Nagra jas at nagras.com
Thu Jul 1 11:33:03 PDT 2010

On Wed, Jun 30, 2010 at 7:46 PM, Kevin Reid <kpreid at switchb.org> wrote:

> On Jun 30, 2010, at 17:29, Dan Bornstein wrote:
> >> (Is there any way to provide partial permissions to and android
> >> application?)
> >
> > Nope. This was debated — at length — within the Android team. In the
> > end, the consensus was that partial permission grants would lead to
> > two bad things: (a) more apps that asked for unnecessary permissions,
> > on the theory that, after all, the user could just turn off the ones
> > they don't want; and (b) more bugs for app developers whose apps would
> > get run with unexpected permission sets, leading to worse end-user
> > experience and more trouble for developers.
> I just recently got an Android phone, and I noticed a particular
> example of this: I installed Pandora, which requested access to my
> contacts. I assume this is for the 'Share' functionality, but I have
> no intent of ever using it and would prefer that the app not have this
> information.

One very useful suggestion made by Shriram Krishnamurthi was for each
requested permission to come with a developers (or attackers) free-form
explanation of why they needed the permission.  In addition, the user
feedback would include "app asks for too much permission for what it
provides" and the particular permissions that were inexplicable.

This has an advantage over the free form feedback Dan mentioned earlier in
the thread because its easier to parse for someone looking for this
information and can be used more reliably when ranking apps.

It would be easy to stub out this functionality in a non-fatal way
> (pretend the contact list is empty) -- but then you have the complaint
> "why isn't share showing anything?"

I agree this works most of the time but mock stubs can sometimes have
unexpected consequences.  For example, if you grant an contact list syncing
app a mock contact list, does it delete all your contacts upstream?

I would in general rather have the option of trying apps with low
> permissions and then possibly giving them more later, but atypical
> user blah blah blah.

> --
> Kevin Reid                                  <http://switchb.org/kpreid/>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20100701/bbc43260/attachment.html 

More information about the cap-talk mailing list