Google has just removed a new privacy feature in the latest update to Android KitKat that briefly let users control exactly how individual apps access their information and various phone functions. Google apparently hadn’t intended to release the feature in the first place, and now it’s gone. Predictably, users are up in arms over the whole thing.
The app-permission feature was first rolled out as experimental code in the Jelly Bean 4.3 release of Android in July. It wasn’t ever accessible via the standard Android interface, so most casual users likely never knew it existed. Some developers noticed it, however, and created several popular app-style shortcuts that unveiled the permissions manager functional. For instance, “AppOps Launcher” by developer Pixel Monster was downloaded between 5,000 and 10,000 times according to its Google Play page.
But if your phone is now running the newest Android KitKat 4.4.2 update, these shortcuts will no longer work—and you can no longer exercise fine-grained control over the liberties that apps take with your devices and information.
The experimental Google code basically allowed users to prevent apps from accessing certain phone functions and stored data. If you didn’t want a game app to look at your contacts list, you could use the permissions manager to block that access for that particular app and no others—theoretically without otherwise affecting the game. That was a big step forward for Android users, who otherwise have to grant every permission an app requests if they want to install it.
Such permissions are a big deal in app-land. If an app needs access to a data connection (Wi-Fi or cellular) to download information from the Internet, it needs permission. If an app needs access to your location (like Foursquare) through GPS, it needs permission. Common app permissions allow access to the device’s camera, user contacts or calendar, phone status, storage, social information and accounts. An app like Facebook needs many of these permissions and more to run effectively.
The Electronic Frontier Foundation took Google to task for killing the permissions manager. When EFF asked Google about killing the permission manager it was told that the feature was experimental and released by accident. Google disabled it because it broke some of the apps that it policed.
EFF technology projects director Peter Eckersley wrote on the group’s website about the disappearance of the permissions manager:
The disappearance of App Ops is alarming news for Android users. The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people’s data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.
Google has independently confirmed to ReadWrite that that permissions manager was indeed an accidental release. In this case, Google had left in experimental and untested code that modified aspects of Android permission system. This happened first with the Jelly Bean 4.3 release. This experimental code was removed with the Android 4.4.2 update. Google never supplied documentation for developers to use the feature that was unsupported when it was originally released.
Since Google never supplied documentation for the accidental release of the permissions manager, Android developers had no opportunity to prepare for the possibility that users might be withholding individual permissions, or to warn users about the possibility that an app might break if they did so.
So while the permissions manager technically existed in the source code of Android, Google had never purposefully released it. By taking it away, Google is not acting in some nefarious manner. Eckersley and the EFF can make a significant amount of noise about the permissions manager being taken away, the fact of the matter is that for most users it hardly ever existed in the first place.
A Brief History Of Permissions
Android was the first major mobile operating systems to show users what permissions its app were using in the first place. When you download an app from Google Play right now, it will show you what permissions the app is requesting. Astute users won’t download apps that require permissions that are not core to the functionality of an app.
When apps are updated, Android will ask for the user to accept any new permissions the app is using. For the most part, Google has been very straightforward with users by showing them what their app is actually doing.
Some apps, of course, don’t play nice. For instance, the Federal Trade Commission just settled a complaint against an Android app called “Brightest Flashlight Free” from Goldenshore Technologies that harvested user location data and unique device identifier information that it then passed onto advertisers. A flashlight app does not need a data connection or access to … anything really. It’s a flashlight. Users need to be wary that many apps ask for permissions that could ultimately lead to their data being siphoned off and sold to advertisers.
That being said, the ability to turn off certain permissions or network access entirely (as the EFF points out) would be a highly desired feature in Android going forward. (In fact, that capability already exists in CyanogenMod and other popular Android variants.)
The fact that code exists to be able to manage permissions shows that this is something that Google has been working on, even if it is not necessarily ready for developers or users quite yet. When contacted, Google said that it had no plans to share if and when the permissions manager system that the AppOps shortcut enabled would be available as a standard feature.
Image by Dan Rowinski for ReadWrite