Android, my new cool companion with dodgy friends

Google has made its money by gathering the world’s personal data, and now, in Android, it has generously created a platform to allow small-time devs to do the same. Or so it feels to me at the moment.

I recently purchased a Samsung Galaxy Note 10.1 (2014 edition) so that I could write a dinosaur-themed letter recognition game for my son. (The development isn’t going too badly; I’m using Corona, which is a 2D engine which provides gravity, animations and collisions and stuff, and allows you to program logic in Lua, which is a scripting language that’s new to me and I think will give me an opportunity to implement all those JavaScript patterns I read about in Douglas Crockford’s JavaScript: The Good Parts. But that’s another story.) Now, I went for Android rather than buying an iPad because I had read in the Financial Times that the youth of today consider Android to be cooler than iOS. (I’m afraid I can’t find the article anywhere, though.) Also I do have an iPhone and a MacBook and I didn’t want to have only Apple devices: it would feel a bit like being one of those girls in the 90s who would buy every Take That single on cassette, 7″ vinyl, and two CD formats.

The device itself seems fine, although I haven’t done that much on it. And the reason I haven’t done that much on it is that I’m too paranoid to install anything. Everything I’ve tried so far seems designed to steal my information or other resources. For instance, the first thing I tried installing was Facebook. I like using Facebook on the iPhone, although I do think it is overstepping the mark in asking to access all my photos (it could easily allow me to upload pictures without asking for any special permission.) But I was quite shocked at the permissions it asked for.

Image

Read my text messages? (Not relevant to a tablet, but anyway, pretty audacious.) Send emails to guests without owners’ knowledge? Add or remove accounts, create accounts and set passwords? No thanks. Except, unfortunately, on Android you don’t get the opportunity to say ‘no thanks’ to individual permissions, you have to accept them all or forgo the app altogether. (It looks like there were once moves to allow you to cherry pick permissions but no longer.) I much prefer iOS’s model, whereby all apps by default have limited access, and have to ask for anything more. This allows users to try apps to see if they’re any use without elevated permissions, and encourages developers to degrade gracefully if permissions aren’t available.

So I wasn’t going to use my tablet for Facebook. Another thing I wanted was a drawing app so I could entertain my son by creating pictures of dinosaurs. So I looked for a drawing app on the Play store. There were many of them, and I couldn’t see a way of filtering them, even by whether they were paid-for or free. Clicking on a few random apps – even the paid-for ones – showed that most of them asked for network access, which is perhaps reasonable for serving ads, but I didn’t know whether they were intending to generate revenue in this relatively innocent and up-front way, or do something more nefarious such as launch a distributed denial of service attack on a site or use my computational power to mine Bitcoins.

The Play store isn’t the only game in town on Android; there are rival app stores, including Samsung Apps, which is installed by default on my Samsung device. Perhaps that would give me a better, safer experience. The Wikipedia page states

Unlike some other Android application markets, Samsung Apps validates all third-party applications for malware and harmful content before making them available for download or purchase through the store. This validation process includes verification of installation permissions.

Which sounded promising, although there weren’t any citations. So I gave it a go.

One of the first things I need to do was create a Samsung account. Hurrumph. I hate creating passwords, because I try to make them all different for different sites, and then I forget them. However, it offered me the option to ‘Use [my] Facebook info’. Hurray! I love single sign-on.

Image

So I logged into Facebook which told me that Samsung wanted to know several things about me of varying degrees of reasonableness.

Image

I did baulk at ‘friend list’, but I agreed in the name of convenience. But then I was sent back to the Samsung Account screen and found that I still had to enter a password! All that had happened was that the email, date of birth, first name and last name fields had been populated. I had sacrificed my and my friends’ privacy for the sake of not having to fill in four fields. Sorry, Facebook friends.

So now I was finally in a position to download a Samsung App. I had a look at ‘Coloring Pages for kids’, but I found that it required the following permissions:

Image

Which is all very suspicious. Why does it need to monitor, record and process phone calls? What’s the non-malicious motivation for that? What does it want to do with the other applications on my device? It doesn’t look as though it’s sensible to trust the anti-malware claim made on the Samsung Apps Wikipedia page.

So in summary, it seems as though everyone is out to steal information, CPU or network access on the Android platform. Perhaps this is an inevitable consequence of it being difficult to make money legitimately out of it. Which is sad. I may be being idealistic, but here are my recommendations:

  1. [Most important by far!] In the App stores, make it possible to filter apps by the permissions that they demand. If I could filter out all the apps that demanded, say, details of my contacts and phone calls, I wouldn’t even see the malicious apps, which would have several benefits:
    • It would make it easier for users to find benign apps.
    • It would support indie developers. At the moment the only assurance I have that an app is likely to be safe without going through the process of clicking into it, pressing Install and viewing the permission list is that it’s from a reputable company. Clicking in to view the permissions is a tedious process so I avoid it, and go for famous names instead. I’d be much more inclined to try indie apps if they were items in a pre-filtered safe list.
    • It would make malicious apps less profitable.
  2. Allow users to pick and choose permissions, as on iOS. Again, this would help indie developers because people like me would be more inclined to use apps from unknown sources if they lived in a sandbox
  3. Allow apps to serve up advertising content without demanding the blanket permission of ‘Network Access’. I would be fairly confident about allowing an app to access the network if I knew that all it was going to do was open up a browser frame and serve a static HTML page, or even one with Javascript in it, as long as it couldn’t access arbitrary information on my device.
  4. Implement some sort of same origin policy, in which an app has to declare which domains it can access.

P.S. After I started this article, I did return to the Play store and settled on Autodesk SketchBook Pro for my drawing app because it had good reviews, and as it cost £3.03 and was from a reputable company I thought it probably wouldn’t resort to stealing my CPU to make ends meet, even though it does demand network access.

Advertisements