To be honest, the default approach should be making app developers only be allowed to ask for one permission at a time. This would provide a constraint where the developer would ask for permissions they need only when a user tries out a feature in the app that relies on that one permission.
Accessing the address book is another area where permissions could be made much better. No app really needs access to my entire address book. They just need to launch the built in address book and only get the information they need for the one or more contacts you choose from your address book.
I agree, but look at the grief Microsoft got when they tried it with Vista's UAC prompts... more permission popups is clearly not what the majority of users want.
I think one solution is having the prompts integrate with the sort of crowdsourcing algorithm that XPrivacy has (e.g., if >90% of users have granted the app permissions on the address book, then don't show the prompt.)
Another important feature is that the app should not know if the user has granted it the permissions it asked for. If the user doesn't want to, the system should just feed the app bogus data and let the user continue interacting with other parts of the app (as we see today, most apps don't really need the data they collect in order to work.)
This isn't the problem with UAC prompts. Their problem is that the user simply doesn't have the information to make any kind of informed decision, since the prompts are at pointless places in the lifetime of a process or give very little information on what is actually going to happen ("Do you want to allow the following program [..] to make changes to this computer?").
Android permissions, on the other hand, are reasonably fine-grained and allow the user to deduce what the app is going to do. If the app wants to send a SMS, how hard is it to popup a modal dialog that shows the target number and asks for the permission right there? That is obviously much better than showing it in one big list along with "internet access" in some nag-screen on the store.
Of course the app should know I didn't grant the permission. The only reason you revert to bogus data is because apps currently crash in horrible ways instead of handling it gracefully, as would be the case if this kind of at-the-spot permissions handling was the default.
Showing modal dialogs on every new permission request is how XPrivacy works right now, and while I understand and deal with the process, I can easily see how most people would (rightly) see it as an annoyance. I'm just saying they could easily augment it with their crowdsourced data and reduce the number of prompts, which would mean people will actually pay attention to the prompts when something bad happens.
Re: your second point, you're right, if the on-demand permissions handler were the default, more apps would handle it gracefully. However, it's not, and most apps today crash because they don't handle SecurityException when they call the android APIs. Also, you're assuming developers will act in good faith and will do whatever the users want. I would not be surprised at all if companies like Zynga, if they knew the user didn't give them the permissions, implement all sorts of dark UIs to trick/force the user to give them their data.
Should we not protect users just because they're too trusting with computers to realize what's going on?
> I agree, but look at the grief Microsoft got when they tried it with Vista's UAC prompts... more permission popups is clearly not what the majority of users want.
Counterpoint, iOS appears to have a very successful permissions model in doing exactly this.
* Permissions are asked for one at a time
* Apps are expected to handle rejected permissions, but they're sent dummy data anyway (address book has no contacts, GPS coords is 0,0 etc)
I guess something like that may work better in a more limited mobile environment where you don't have to do it 20 times an hour, and it's also easier to do it with touch.
>I agree, but look at the grief Microsoft got when they tried it with Vista's UAC prompts... more permission popups is clearly not what the majority of users want.
Android only asks for those permissions when installing the app, which is not too burdensome. Iirc Vista did UAC popups for almost every user action, which people rightfully rose hell about.
A better way would be to come up with a smart grouping profile for apps that want reasonable common combinations. For example, "Standard application that can access your INTERNET". Give it a nice screen. "Standard application application that can USE YOUR CAMERA and access your INTERNET" would get a big question mark icon.
For any app that wants any weird combination outside the standards, make it opt in like you say - one permission at a time. With each requiring a screaming skull and crossbones.
If you did that, you could integrate more fine-grained permissions into a small number of supported profiles, and developers would be strongly discouraged from choosing anything outside that combination.
Accessing the address book is another area where permissions could be made much better. No app really needs access to my entire address book. They just need to launch the built in address book and only get the information they need for the one or more contacts you choose from your address book.