Digital rights group: Users face choice of "privacy or security on Android, but not both”

Google has frequently found itself drawing criticism for its privacy policies, something that Microsoft has been particularly keen to highlight with its Scroogled campaign. As users come to rely on mobile devices in ever-greater numbers – and with Android dominating the smartphone market – concerns are increasingly being raised about the privacy policies that Google adopts on its mobile OS.

Earlier this week, the Electronic Frontier Foundation (EFF) – a non-profit organisation campaigning for improved digital rights for users – published an article entitled ‘Awesome Privacy Tools in Android 4.3+’, in which it praised Google for introducing greatly improved and more granular options to give users more control over what data could be accessed and used by apps installed on their devices. In that article, the EFF’s Peter Eckersley wrote:

To date, there has been no way to run apps on Android with real and reliable privacy controls. Android version 4.3 and higher take [sic] a huge step in the right direction, letting users install apps while denying some of the apps’ attempts to collect the user’s data.”

That praise did not last long. The next day, Eckersley published a follow-up article, noting that Google had removed those ‘App Ops’ tools completely in the latest OS release, Android 4.4.2, which is currently rolling out to its newer Nexus devices.

After the EFF contacted Google about the removal, a company spokesperson said that the App Ops tools had been ‘released by accident’ in Android 4.3, and that they were an experimental feature that could end up doing more harm than good by disrupting the operation of certain apps. Curiously, this explanation does little to explain why Google did nothing to remove this ‘accidental’ feature in its subsequent Android 4.3.1, 4.4 and 4.4.1 releases that have appeared since version 4.3 was released at the end of July.

Eckersley isn’t buying that explanation either, calling it “suspicious” and adding that the EFF does “not think that it in any way justifies removing the feature rather than improving it”. He also opined that “the fact that [users] cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people’s data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.”

His comments underline the practice of some apps which demand access to data that is seemingly unrelated and unnecessary for their operation, as a condition of installation. Users may question, for example, why a basic flashlight app needs access to their contacts list or location information, but they are left with no option to limit access to such data if they wish to install it.

Eckersley’s final word on the matter highlights the more difficult choice that Android users face. Newer OS versions don’t only add (or remove) features; they also bring improved security packages and bug fixes. “For the time being,” he says, “users will need to choose between either privacy or security on the Android devices, but not both. Google, the right thing to do here is obvious.”

Whether the company that prides itself on ‘doing no evil’ decides to reinstate the App Ops feature, to provide its users with a more comfortable balance of both security and privacy on future Android versions, remains to be seen. 

Source: EFF via Reuters | lower image via EFF

Report a problem with article
Previous Story

First original shows coming to Xbox One, Xbox 360 in early 2014

Next Story

UK ISP BT Broadband to block porn for new customers by default

16 Comments

Commenting is disabled on this article.

I for one, have always been a huge Google fan until the most recent patch on my Nexus 5....

They've made it so that either:

A> My GPS is disabled completely or
B> If my GPS is on, I'm FORCED to share my location with all of the Google services.

A> I disabled the "Google drive sharing" on my phone, and suddenly all of my photos on my phone dissapeared. Try to take new photo's... nope. Wont save them
B> I enable the "Google drive sharing" and all my photos almost instantly get uploaded to my "G-Drive" and my G+ account.

Google's really got me ****ed with this latest "SMS and Camera fix update" considering those are the things I DIDN'T have problems with, and now I have problems with a lot more.

Yea. Let's reinstate a feature (that wasn't a feature to begin with) that can break practically every app, just so we can appease a org who in this case doesn't know what they're talking about

SharpGreen said,
Yea. Let's reinstate a feature (that wasn't a feature to begin with) that can break practically every app, just so we can appease a org who in this case doesn't know what they're talking about

Im all for privacy, but this org has no idea how things work and just spew out demands.

SharpGreen said,
Yea. Let's reinstate a feature (that wasn't a feature to begin with) that can break practically every app, just so we can appease a org who in this case doesn't know what they're talking about

Im all for privacy, but this org has no idea how things work and just spew out demands.

Actually there is a way Google could implement this WITHOUT breaking Apps. Go look up App virtualization techniques used in security. If Android implemented this for features turned off, the Apps would never know they were running with less permissions.

As for the knowledge of the org demanding this, I have no idea, but assume they might be looking at other security models that can provide virtualization techniques and give users privacy without breaking Apps/Code.

Mobius Enigma said,

Actually there is a way Google could implement this WITHOUT breaking Apps. Go look up App virtualization techniques used in security. If Android implemented this for features turned off, the Apps would never know they were running with less permissions.

As for the knowledge of the org demanding this, I have no idea, but assume they might be looking at other security models that can provide virtualization techniques and give users privacy without breaking Apps/Code.

Interesting...Never knew about these. Thx for the info. I've found using custom roms is good for privacy as some have things like pdriod etc etc..

Sadly in this instance the EFF is 100% wrong, App Ops was not meant for public use, it was achieved using a workaround, that they removed that access is good, most users should not be using things like it unless it's fully fledged out and ready for public use, which it isn't, and even then it should not be easy to find, most users will break more things with it than anything else causing these ignorant users to complain about Android when it was them who broke it in the first place

If Google implemented this full fledged meaning to give users running stock this option, then none but Google would be the biggest losers.

Why so? If we disable the location permission etc which google relies on effects their maps. Similarly, if certain restrictions are implemented on Gmail app, then access to contact, call records for the app would go away which would effect their Adv revenue.. and so on..

In my view, they had implemented this to make Android OS flexible to user's need and then they would have later realized that it would indirectly affect their revenue, hence the removal of Ops App option.

This is just my guess, but I do believe that it could be true, i don't think it broke anything just Google revenue.

The solution is not to install fishy apps (like a flashlight that asks to access your contacts) and disable some rights afterwards, which will eventually break things when the app actually tries to access the contacts.
The solution is to install apps that can be trusted and only ask for reasonable permissions.

The EFF is wrong on this one : Users should just use Android as it's intended and just take a few seconds to review permissions before installing new applications.

Most users don't care and won't care, and most developers will make apps that spy on users for that reason. What you propose is idealistic. The true solution is to install xprivacy.

BlueScreenJunky said,
The solution is not to install fishy apps (like a flashlight that asks to access your contacts) and disable some rights afterwards, which will eventually break things when the app actually tries to access the contacts.

As the EFF suggested, Google could improve the feature and Android developers could code their apps around the controls. Hardly rocket science.

BlueScreenJunky said,

The EFF is wrong on this one : Users should just use Android as it's intended and just take a few seconds to review permissions before installing new applications.

i.e. Privacy and choice are irrelevant on Android.

Google removed it because it broke stuff, and even though the options were hidden, apps started being made public which enabled people to turn these options on (And then quickly break stuff)

Even then, the actual functionality hasn't been removed, only the Google provided developer panel has.

It's useful to have, but the problem is that a system like this is incompatible with the existing permission system. Apps can (and do) assume that since they're installed, they can always access the functionality specified in their permissions setup, so don't bother checking for permission failure.

The_Decryptor said,
Google removed it because it broke stuff, and even though the options were hidden, apps started being made public which enabled people to turn these options on (And then quickly break stuff)

Even then, the actual functionality hasn't been removed, only the Google provided developer panel has.

It's useful to have, but the problem is that a system like this is incompatible with the existing permission system. Apps can (and do) assume that since they're installed, they can always access the functionality specified in their permissions setup, so don't bother checking for permission failure.

If Google truly wanted to offer user's this level of protection, it could leave this functionality easily exposed and instead of 'breaking' Apps, virtualize their access so they don't realize they are touching things the user doesn't want them to touch. It isn't a hard concept and is fairly common in secure platform models today.

Sure, that's what a proper implementation would do, but this wasn't ever a proper implementation, it was a developer tool that people thought was a generic permissions manager.

For an app developer, being able to turn off a specific permission to see how an app handles the failure is extremely useful, for a user it'll make them wonder why their apps either crash instantly, or sit there chewing CPU and battery while it's stuck in an infinite loop.

The_Decryptor said,
Sure, that's what a proper implementation would do, but this wasn't ever a proper implementation, it was a developer tool that people thought was a generic permissions manager.

For an app developer, being able to turn off a specific permission to see how an app handles the failure is extremely useful, for a user it'll make them wonder why their apps either crash instantly, or sit there chewing CPU and battery while it's stuck in an infinite loop.

I agree it shouldn't have been in the hands of users.

However, if Google wanted to address their issues with privacy and security concerns for end users they would have implemented a better mechanism that the convoluted model they have been dragging around since the beginning.

Since this slipped in feature is not a foreign concept to them, it would seem reasonable they would have considered how to implement it without causing problems. Even a basic virtualization implementation is something Android could do without breaking the JVM and offer better security without hurting Apps.

Google could use this as an opportunity. (It would shock me, but I would welcome it.)