Skip to content

Play Store Privacy

Posted on:November 2, 2013 at 04:29 AM

A set of tweets about a potential way in which apps and developers can be more explicit and accountable for the permissions and access they demand of their users when installing.


Triggered when I realized that the current version of the Facebook app for Android can look into my phone’s photo gallery at images that I haven’t shared with Facebook, and suggest that I post them. Here is a screenshot:

Facebook Image Suggest

All three images were the most recent in my phone’s gallery, and none of them had been shared. I went to check the permissions of the Facebook app, but there was no permission listed for accessing the Photo Gallery. I have also disabled Photo Sync for Facebook which automatically uploads pictures to Facebook from your phone.

The explanations are, in their order most likely to least:

  1. Facebook has permission to access the camera, and access to gallery is implied or subsumed by this.
  2. There is no permission, explicit or implicit, to access the Photo Gallery in Android 4.3 and every app can access it without the need for stating or specifying permission.
  3. There is an actual explicit permission for accessing the Gallery which Facebook does not declare, but it surreptitiously does it anyway.

While declaring what permissions are required by an app is a very positive step in the right direction, more information is required. We need to know why the app needs that information. For example, consider QR Code Reader, whose most recent update requires the following new permissions:

QR Code Reader Permissions

Why does it need to know my location? Why does it need to be able to modify the contents of my USB storage? As a software developer I can think of a number of possibilities, but I don’t know what they are really using it for. To have a place where they can explain why they need the permissions, and a mechanism that can help regulate that they do only what they declare they do with those permissions, is essential for the next generation of apps and users, both of whom will need to be better educated in privacy guidelines.