In response to the uproar over how mobile iOS applications have had access to address-book data without having to inform the user, Google (NSDQ: GOOG) was all too happy to confirm Wednesday that its development model for Android applications makes it impossible to share personal data with an app developer unless you agree to do so before installing the app.
Tim Bray, Google’s head of Android developer relations, addressed Android’s take on the Path-inspired mess that forced Apple (NSDQ: AAPL) to acknowledge that it should have done a better job policing apps that uploaded address-book data from users without explicit permission. “Reading contacts on Android requires explicit OK,” he said on his Twitter feed, pointing to two Android development articles that address how Android deals with granting permission to access personal data.
A Google representative confirmed that Android can’t access any personal information on a user’s handset unless the user consents before the app is installed through any means, whether through the Android Market, a third-party app store, or side-loaded onto a phone. “A basic Android application has no permissions associated with it, meaning it can not (sic) do anything that would adversely impact the user experience or any data on the device,” Google wrote in one of the development articles cited by Bray.
When an Android user goes to install an application they are presented with a list of permissions that the app developer has requested the user grant the app for various reasons, most of which are benign. For example, when you try to download Path on Android, you’re asked to confirm that you’re willing to allow the application to “prevent phone from sleeping,” access “coarse (network-based location, fine (GPS) location,” and “read contact data.” The more detailed description of that last permission says that you’re allowing “an application to read all of the contact (address) data store on your phone. Malicious applications can use this to send your data to other people.”
Unless you agree to all grant the app those permissions, you can’t install the app. “No checks with the user are done while an application is running: it either was granted a particular permission when installed, and can use that feature as desired, or the permission was not granted and any attempt to use the feature will fail without prompting the user,” the company said in that article. (emphasis Google’s)
There’s still the matter of how those applications store data that users have agreed to share with developers, as Twitter raised a few eyebrows by asserting it would store address-book data shared with its service for 18 months. Google responded to those inquiries by pointing to a blog post from 2010 that declared “if you have to handle user data, ensure that the data remains on the device whenever possible. … Sending data outside the phone, even if done for the user’s benefit, tends to draw suspicion.”
To be clear, those are merely guidelines: the free-for-all environment that is Android development means that anyone can create an app that sends data off a device without encryption, even if Google frowns on such practices. Android users are much more susceptible to malware than iOS users, especially if they don’t read the fine print associated with those applications. And if you’ve rooted your device, you’re kind of on your own.
Still, it seems that assuming they actually read the permissions screen provided to them before they install an app, Android users shouldn’t be surprised by what their apps know.