How to stay smart about Android app permissions

Credit to Author: JR Raphael| Date: Wed, 20 Jul 2022 03:00:00 -0700

When it comes to Android and privacy, we’re accustomed to seeing things move in a certain direction.

It’s simple, really: With each new Android version, it usually gets easier to manage your privacy and understand how your information is being used. And we typically get more front-facing tools and under-the-hood improvements that allow us to handle that stuff intelligently. Obviously, right?

Of course right. And that’s precisely why it’s so puzzling to see the latest change Google’s rolling out to the Android privacy picture — a change that feels like backwards progress and a real disservice to those of us who care about being fully aware of what we put on our phones.

In case you haven’t heard, Google just introduced an update to its Play Store interface that removes the long-standing option to see exactly which permissions an app requires before you install it. I noticed it the other day and thought I was losing my mind (which, to be fair, is always a distinct possibility) — but then code-sleuthing superstar and Esper Senior Technical Developer Mishaal Rahman confirmed that the change was, in fact, actually happening and not just a figment of my imagination.

The shift appears to be connected to the launch of the Play Store’s new Data Safety section, which Google introduced a while back but is making mandatory for all apps as of today. Which, I mean, okay — I get it. Most average Android-owning organisms probably don’t look at the more detailed and technical breakdown of app permissions all that often, and Google’s undoubtedly got oodles of data that influenced this decision.

But even so, removing the ability for all of us to see that sort of information and have an easily accessible objective overview of everything an app wants to do on our devices sure seems like a step in the wrong direction.

So what’s an enlightened Android device owner to do, other than hope Google comes to its senses and brings that more detailed info back into view?

Let’s think it through more closely.

Before we dive in, it’s worth zooming in a bit to chew over what exactly is changing here and what it actually means.

Traditionally, every Play Store app listing has had a link to view the entire list of permissions the associated app could require on your phone. That means you could be aware of exactly what types of data and areas of your phone the app wants to interact with and could then make a proactively informed decision as to whether that all seemed like a sensible situation for you.

That was then. Now, you see a broader but also less intricate summary of privacy-related info instead — which, it’s worth noting, is not generated automatically based on the app’s actual behavior and capabilities but is instead up to each developer to report:

On the one hand, that new Android Data Safety panel definitely does provide a lot more context about what exactly an app is doing with your info and why, and it puts into slightly more of a plain-English form that an average (alleged) human might actually understand. That’s clearly a good thing.

But at the same time, it omits the subjective, exhaustive, machine-generated facts about the precise list of Android permissions each app requires and instead forces you to rely on the developer’s disclosures — which may or may not always be accurate, honest, and complete.

In the case of Facebook, for instance, the new Play Store Data Safety panel doesn’t mention that the app wants the ability to read your phone’s status and identity, to view all network and Wi-Fi connections, to route calls through the system, and to download files without any notification. Those details might not matter to everyone, but they sure seem important.

And they’re exactly the sorts of nuances that get lost with this new approach.

So what’s the answer, then? Unfortunately, it isn’t exactly simple anymore.

One option that’s been batted around a bit in Android enthusiast circles is the notion of downloading a third-party Play Store alternative called Aurora, as that storefront does still list out specific app permissions. But there’s a catch: Aurora is a non-officially-sanctioned and not technically authorized alternative Play Store client. And that means you’d have to venture out into the wild and install it from outside of the Play Store — which (a) is something that’s difficult to recommend on any broad level (especially when company-associated devices are involved), and (b) opens up the door to some tricky terms-of-service issues, since Google doesn’t actually allow third-party apps to act as Play Store interfaces in that way.

Aside from going down that road, you’ve got a couple possibilities worth pondering:

A web-based marketplace called F-Droid lists loads of Android apps and makes ’em available for direct download — and it lists out all the permissions an app requires in a clear and easy-to-find form.

And while F-Droid is intended to act as a full-fledged alternative Android app market, you can just as easily use it as a simple point of reference before you download an app normally from the Play Store. It’ll just give you a window into the app’s exact permissions ahead of time, now that the Play Store won’t.

The only downside, extra effort aside, is that F-Droid is missing a lot of major app titles that are present in the Play Store. So there’s a decent chance you might not find what you’re seeking there. But it’s at least one option for a proactive approach in light of Google’s vexing permissions visibility change.

This is really the best all-around answer for most people at this point, even if it isn’t entirely optimal: After you’ve installed an app, it’s actually quite easy to dig in and see exactly what permissions the app is capable of accessing on your phone.

Just open up your standard Android system settings and look for the Apps section. Open it, then look for the line labeled “See all apps.” Tap that bad boy and tap it good.

Next, find and tap the app in question and then select “Permissions.” That’ll show you a basic list of core permissions the app requires — but to get the full unabridged list, you’ll need to perform one last step: Tap the three-dot menu icon in the upper-right corner of the screen, then tap the all-important “All permissions” option tucked away in that menu.

And with that, you’ll finally be privy to every form of data the app can possibly see or interact with on your phone.

Remember, too, that with more advanced and sensitive sorts of permissions, apps have to explicitly ask for your authorization before they’re able to act. So even with the app installed on your phone, it’s not automatically gonna be able to do anything especially eyebrow-raising until you get a prompt and deliberately give it the go-ahead.

This method isn’t perfect, and it’s certainly a lot less logical than being able to see all those permissions directly in the Play Store. But the info is still available, at least, if you know where to look.

And if you combine this approach with the Play Store’s new Data Safety section and all of your standard Android app-selecting smarts, you’ll have an effective way of keeping tabs on your apps and exactly what sorts of info they’re able to access.

Want even more Googley knowledge? Check out my Android Intelligence newsletter to get next-level knowledge in your inbox every Friday.

http://www.computerworld.com/category/security/index.rss