Google to ban financial lending apps from accessing user photos, contacts
pcmag.comThis feels like treating one particularly visible symptom of the problem instead of fixing the actual problem. What Google should do instead is prevent apps from refusing to work or disabling unrelated functionality just because some permissions are denied (e.g., if you deny your banking app permission to access your camera, everything but mobile check deposit should still have to work). They should use a two-pronged approach to do so:
1. Make that a rule in the Play Store and ban apps that violate it
2. Make Android present convincing fake data to apps when permissions are denied
Additionally there should be a sandbox mode. While you give the app access to Photos and Contacts, it's an actual sandbox not containing any photo nor any contact. So the app gets what it asks for (the permission) while the user can still control the data.
This is how photos access on iOS works. An app can ask for access to photos and you can choose 3 options:
- no photos - only specific photos (the system picker will appear to select them) - all photos
Regretfully, it seems on iOS apps can tell they’ve been given access to only specific photos. Googles Photo app refuses to work unless it gets access to all photos.
WeChat will loudly grumble every time you try to send a photo if you haven't given access to all photos. But at least it works.
And if you tell me now, that it works without having access to contacts, its lightyears ahead of WhatsApp.
But still, these moaning dialogs aren't trust-building. I wish there would be better guidance with UX in the industry.
WhatsApp works without access to contacts now, no?
WhatsApp still uses your contacts as its "friends list", i.e.: people appearing in "new chat". You can still text any number with wa.me links but the UI doesn't offer number input IIRC.
No, you can't initiate a session with someone you know the number of, it demands access to contacts so "you can stay in contact with your friends". The usual weasel words.
It was the case before, but I can do it now. It says "enable contact access to make it easier" but I can also just punch in a number and start chatting... Contact access is off.
This is not the case in WhatsApp on Android, at least as of a couple months ago when I last checked.
I think it's a good design decision that just lacks control during the app review process.
There are apps that need full access to your photo gallery to be really useful (i.e. where limited pool of photos may have little sense in those contexts), photo deduplication apps being a case on point. At least that piece of information gives the app a chance to tell the user that it may not work as expected.
Now, if an app misbehaves based on photo sharing permissions (i.e. Google Photos not being able to work), that is a decision that the product team took. They're the ones responsible and that should be judged.
If anything there should be tighter controls during the app review process on how those apps use that info and avoid the ones that only work when sharing the full gallery.
I am the user, and if I allow only Screenshot and Whatsapp images folder to be accessed by your deduplication app, I want it to work on these 2 folders only, without accessing my camera. Same for lets say backup app.
Yeah sure, that's what should happen. I'm not saying otherwise, read the comment again.
YMMV, but IMHO it is preferable that the fundamental execution model of the app stays in control of the app-executing user and should not be affected or be dependent on the app review process. Rationale is to prevent single point of failures, especially those that are out of control of the user (compare with the emergency off switch on some bigger machinery).
This was an annoying issue with one of the Twitter competitors a while ago; their app asked for photo access, I gave it partial access, it grumbled that it needs ALL of it, and refused to let me upload any photo. I thought it was a "total photos < X" heuristic, so I went back and picked like 30 old photos, and it still knew that wasn't all of it.
Probably because it's file based. Don't they have a feature to paste a picture from clipboard or photocamera?
That still works regardless of file permissions, own-app storage is always allowed on both iOS and Android since ever on iOS and since Android ~6. And clipboard access is all API-based, at least.
What is regretful about that?
That was a change that seemed to add inconvenience but no additional security. Now I have to first approve an individual photo, then search the pre-approved photos for the photo I just added (they will be sorted by time). Why can't they just let me approve and add a photo at the same time?
But it absolutely provides more security... the app can see only the exact photos you allow. It is a bit annoying as an extra step, but I'll happily give apps access to a single photo selectively versus the all-or-nothing approach where I might choose to completely stop using an app.
Sorry, yes, the segmenting out of permissions on a per-picture basis adds security. What I mean is, the additional hassle added, but the way iOS and apps currently do it, is not necessary for that security. There should be an interface directly from the prompt for pictures on the app's side, to the selection of photo's on my phone's side, to the point that adding pictures is just as easy as it was before. There's no reason for the extra steps to get this added security.
You can unselect all from the dialog every time, iirc, as a work around for this.
I'm not sure, if it works as advertised. I've been playing with one of the apps and despite selecting "No photos" option, I was still able to upload photos from my gallery. Perhaps some metadata is not shared in this case, but photos definitely were accessible.
There are two APIs in iOS for the photo browser, the API where the app gets access to your photos so it can draw the list view of “all the pictures” is gated with the permission.
The newer API that pops up a system control that lets you select a photo (or more) and only then if you select one, it returns that picture (only) to the application, that API does not need permission, because unless you select a photo, the app does not have access to anything.
Yes, you are right, thank you. After I have posted my comment, I started reading about PHPickerViewController and it totally makes sense.
GrapheneOS supports this with a feature called Storage Scopes. Instead of giving an app access to your entire photo library and files, you can limit its scope to an individual folder of your choice.
That way the app still gets the permissions it asked for, but they're specifically what you want it to see.
> GrapheneOS supports this with a feature called Storage Scopes
Thanks for the pointer, adding the missing reference: https://grapheneos.org/features#storage-scopes
This looks pretty interesting (and there's more GrapheneOS has to offer):
> GrapheneOS provides Storage Scopes as a fully compatible alternative to the standard Android storage permissions. Instead of granting storage permissions, users can enable Storage Scopes to make the app assume that it has all storage permissions that it asked for. On Android, an app that doesn't have any storage permissions is still allowed to create files and directories, and is allowed to access the files that it created. Users can optionally add files and directories as storage scopes to permit the app to access files created by other apps.
This comes pretty close to what I imagined, thanks a lot for providing this living example!
This is the obvious solution, it’s really annoying that it is not available for every permission. (Contacts is the big missing one in iOS, but you could even have a fake GPS that returns random positions.)
LineageOS used to patch this on top of android afew years ago, not sure if its still there.
"2. Make Android present convincing fake data to apps when permissions are denied"
This is actually a feature with MIUI, though I am not sure if this is part of the global release or only Xiaomi.eu, a modified version of the chinese release). https://xiaomi.eu/community/attachments/screenshot_2022-10-2...
This is cool, why is that not a wider available feature in custom ROMs particularly. I used XPrivacy with xposed some time ago to inject that functionality. It was even possible to only expose randomised or fixed GPS and an excerpt from the address book (only favourites).
The actual problem is that travesties of this scale are allowed to happen on Google’s watch for so long, despite the Orwellian grip it has on deciding what apps are allowed to be listed. A good example of why that system needs to be reformed.
This particular issue didn’t get addressed until at least 8 months after TechCrunch exposed the practice. Where was Google?
Control of the App Store and Play Stores should be carefully transferred to an independent organization, with an open governance model and a mission to serve consumer interests. It won’t be perfect but it would be a big step up.
If that can’t be done for whatever reason, find another way to disrupt the App Store. I struggle to think of why not doing so is a net good for society.
> 2. Make Android present convincing fake data to apps when permissions are denied
That reminds me, years ago I used to run a module called XPrivacy that does exactly this. It does require a rooted Android device though. I haven't used it for a long time, but seems it continues to live on as XPrivacyLua.
I used to use that too. It was great! I haven't run a rooted device in like 8 years though. These days I don't bother installing most apps on my devices anymore. I mainly use the phone, messaging, camera, and Firefox. And I use Netguard to block the uninstall-able apps from internet access.
That approach would leave users confused as they see fake contacts or photos being surfaced through the app that was denied said permissions.
it should just present an empty list, like a newly installed phone with no pictures taken yet / no contacts added. if apps detect that and refuse to function, ban them from the app store
Only if you use fake contacts and photos that look real. Instead whenever this is done elsewhere, there is text on the image and the names are obvious. Google can even add a page within privacy where you see the fake options before you can enable it system-wide/per-app.
The app could also detect the fake text based on general testing (after all, there's gonna be only so many variations of "Biggus Dickus") and refuse to dispense the functionality in question.
Hence the suggested rule that blocking functionality based on this access should be an app store violation.
The OS could add an option to automatically generate realistic mock data. It could be tuned based on the distribution of names in the location that is revealed to the app (whether that is the real location or a mocked one).
I wrote almost exactly this comment more than five years ago. It is a shame that it is taking them so long to get security right. Do they even use their own software?
I don’t have much faith in Google for doing that. The Google Photo app only works on iOS if you allow it access to the iOS photo library. I wanted to use it to access photos shared with me, or otherwise stored in Google Photos, not to give google access to all the photos on my phone.
It’s pretty funny that Google has this rule and then slurps up all data for their own purposes and there’s no way to opt out on android if you use the google distro.
Android has this issue.
There is the new permissions for locations. Accurate and not so accurate.
Apps are told that "you are given coarse location" so they refuse to work.
Same for contacts. I refuse to use truecaller because it "requires" contacts access. I don't want it so I am at an impasse.
Permissions should be transparent. As you said, if the user decides on system level to disable location, apps should be told "no signal" or "no location for now, carry on"
> 2. Make Android present convincing fake data to apps when permissions are denied
What about apps that aren't malicious? How can they tell the difference between a user who denied the permission to reasonably offer alternatives?
As a good rule of thumb, apps are malicious. If they are not, the libraries they include are. If, somehow, even the libraries aren’t malicious, the attackers who compromise the app or its backend are definitely malicious.
With that logic you really shouldn't use your computer.
We are rapidly approaching that point. Apple is/was/will going to enable on-device scanning for someone's definition of naughty. Not hard to imagine that naughty will soon includes images of Winnie the Pooh, union formation, abortion, minority group X, what have you. Automatic notification of the authorities to follow.
Edit: To be clear, I am obviously opposed to CSAM, but on-device scanning is a privacy violation. Nobody knows what hashes trigger a flag, and they could be updated at anytime without the user being aware.
The problem is the top-level poster was also suggesting banning apps based on their definition of naughty (and "related" features).
Running arbitrary and proprietary code without being able to review it first was always a mistake but we crossed that bridge over twenty years ago.
Every OS and chip manufacturer is working towards "secure core" architectures now. Executed code will run inside OS and silicon-level sandboxes. Memory spaces will not only be randomized, but encrypted and authenticated through dedicated secure enclaves. Hardened IOMMU modules will negotiate bus communication. System code is partitioned off and verified through hardware root of trust.
Malware as we have known it will be extinct in a few years.
I wish you’re right but I don’t see how what you’ve mentioned stops most malware.
In a nutshell, because an application won't be able to do anything evil. We're already halfway there on mobile devices. An Android app cannot access system files or files of other apps, period. "Run as admin" doesn't exist. It can't access shared files like camera photos or documents without explicit user permission.
This is mostly accomplished using SELinux, which is an afterthought slapped onto the original OS architecture.
There are exploits that defeat these walls, but it's getting harder. Walls built from the hardware level up will be almost impenetrable and might require finding an error in the chips' microcircuit designs.
These are, quite frankly, easy protections to put up. I know a lot of work is invested into them but it’s pretty clear that apps shouldn’t be able to scribble all over the address space of other processes, or just have access to all system devices. The hard part is when you actually have a legitimate need to do certain things but not every app should be granted this permission. For accessibility reasons some apps should be able to simulate user input. Obviously, giving this permission to every app is not good. Some apps should be able to know where you are. The one that your spouse installed on your phone secretly to track you? Probably not. This is where the challenge is these days.
I have almost no apps installed on my smart phone ... I just go to the mobile website. Way easier, way more I can control. I'm literally missing nothing.
Do you want to install our app?
[YES] [Maybe later]
Reminder the user on the screen that permissions have been denied?
>2. Make Android present convincing fake data to apps when permissions are denied
GrapheneOS can do this. I believe you can even choose to make only chosen photos visible to a certain app
This functionality is built into iOS as well.
iOS implements access permissions, GrapheneOS implements sandboxing.
#1 is a nice recommendation, but not trivial.
You've got three major systems for detecting policy violations: static analysis, dynamic analysis, and human interaction. You don't want too many false negatives or else you get bad media coverage complaining that you aren't doing enough to enforce policy. You don't want false positives or else you hurt benign users.
Static tooling will be able to detect specific kinds of ways that an app might refuse to work if you don't have a permission, but will struggle mightily in general. Dynamic analysis needs to be driven to the specific feature that triggers the behavior. Both will struggle if the app's response is something like returning to a home screen with a custom message. And good luck teaching one of these systems what "disabling unrelated functionality" looks like.
Human interaction works better but is a gazillion times more expensive. Training people is also harder than one might think. You can train humans to identify "disabling unrelated functionality" but that's fuzzy enough that there are going to be some errors. Doable, but every single new policy costs significant amounts of money.
Policy overload is also a problem for developers. There are already a lot of rules on both app stores. Developers get a new "hey this is a new rule you need to comply with" email all the time. You can only roll things out so fast or developers will get overwhelmed with just validating that their apps remain in compliance.
These are often solvable problems in isolation, but when taken as part of the overall effort of policy enforcement on app stores they become quite a bit more challenging.
I seem to remember this worked a lot better a few years ago. Nowadays you can't even deny an app permission to access the internet.
I can deny the internet to individual apps on my Pixel 7 running Android 13. I can even deny just mobile data.
I often do it when I first install an app that shouldn't need internet access.
Isn't the entire business model of Android that it's a data collection platform with zillion of sensors linked to PII that apps and phone vendors can use for profit? If Android did what you're siggesting, Samsung and others would simply fork Android and cut ties with Google.
It’s ok to give credit to Apple for doing this already
> Make Android present convincing fake data to apps when permissions are denied.
I have wanted this for years. I eventually left Android because the permissions models were deranged (IIRC the number of apps that "need" phone access to pause something during a call). iOS isn't perfect but they seemed to be enforcing your prong #1 at least a little more than Android when I switched.
They need to ban that Dave app. I signed up because it offered a loan for $500, but when I got in the app they forced me to "connect" my checking account, sucked up all the data, then offered me only $20. With a daily notification to setup one of their "checking accounts".
The app was advertised as a short-term loan with borrower-friendly terms ("give us a tip!") -- yeah right. Come to find out it's just a new accounts funnel. Yet this app is allowed to blatantly exist on the app stores, despite not doing anything like what it was advertised to do and tricking you into handing over all your transactions data from your checking account (probably to look at your cash flow and decide how valuable you are from a new accounts perspective).
There is no universe where I'm connecting my bank account to some ghetto ass app for a seemingly too good to be true loan.
Me neither, but the banks are probably selling all your data to the same clearinghouses anyways… we need banking secrecy laws like the Swiss used to have, AML be damned
Your bank may well sell your personal data. The app you “connect” to it can take your money. Choose your poison.
> Your bank may well sell your personal data.
Depends on the laws in each country. At least in most if not all EU regulated countries, this would be a huge no no.
"I need numbered accounts" is a strange jump from "banks should be free to sell your data to anyone".
There's a clear middle ground.
These apps are literally just friendlier payday lenders. They will also go under soon because the unfriendliness of payday lenders is essential to the business model and it doesn't scale well. Dave's delinquencies are probably atrocious
Why would the unfriendlessness of payday lenders be essential to the business model?
Because the type of people who have no choice but to resort to payday lenders are the same type of people who need men with guns to visit their in their house at 2 am in order to pay back their debts.
You are confusing payday lenders (who use the courts and high interest rates to make up for defaults) and loan sharks (who use violence).
The FTC begs to differ:
https://www.ftc.gov/news-events/topics/consumer-finance/payd...
According to them, “abusive collection practices” and dozens of other illegal things are common in that industry.
Yes, they are common. Any industry that deals with primarily people who cannot afford to defend themselves has similar issues (e.g. slumlords). I have no doubt that they are profitable. My question was "why are they necessary to the business model".
Unless you assume "abusive collection practices" means threatening physical violence. Because I would assume it meant things such as chronic calling.
> Why would the unfriendlessness of payday lenders be essential to the business model?
The amount is small, the lending is short term, and customer acquisition costs can be fairly high. This means that the fees / interest must inevitably be quite high - i.e. if you are genuinely lending out $250 for 30 days and you only want to make $25 margin then the effective APR is >120%.
Then you are generally giving these loans to people who are in (at least short-term) financial difficulty, who often have other debt obligations which may be higher-priority (e.g. they need to pay their mortgage).
You can't have a business that just gives away money though, so you need your money back. And you are going to be incurring costs to recover the money at this stage. Plus at this stage the customer might have gained interest charges and is in a worse financial situation than when they started. So what's the 'friendly' option here? Ultimately you will need to send some unfriendly letters that say "You need to pay up, and if you don't then we will send in some people to recover goods from your house".
I guess it depends what you mean as unfriendly, but sending around recovery agents is never friendly.
The lending term may be short, but the average lifetime value of a customer is very high, because they usually keep coming back and churn is low.
Meanwhile, in the US (based on FTC complaints statements) "we'll send some people to recover goods" is extremely illegal.
> Meanwhile, in the US (based on FTC complaints statements) "we'll send some people to recover goods" is extremely illegal.
It's definitely possible in the UK (you just need a high-court order and to send in bailiffs).
I would be surprised if similar legal remedies don't exist in the USA (i.e. that if someone isn't paying something they legally owe, that you can't then organise for reposession of property via the court).
Companies obviously aren't just allowed to send heavies around, however I would assume most countries have a legal avenue to 'force' people into repaying a civil suit (which in the UK involves getting a high-court writ and then sending bailiffs who will seize property).
Never give your bank info to a third party. Never. No good will come.
You could offer me $1000 cash and I wouldn’t do it. It’s just not worth the hassle as setting up and establishing a new bank account is a bit of a hassle.
> You could offer me $1000 cash and I wouldn’t do it.
You may not need $1000, but some people literally do.
And those people should avoid scammy apps that require their bank credentials.
What should they do instead?
Not use those services. I don’t think there’s any essential digital services that require bank access.
The closest is many Venmo/PayPal/cash app but there’s a way to use without giving login access. Instead it just uses the account and routing numbers to make ach transactions on my account.
This is still risky but still much safer, I think. ACH can be reversed. A login with my bank can do all sorts of stuff that my bank holds me liable.
> Never give your bank info to a third party. Never. No good will come.
How do you pay for your electricity? I set up a direct debit with my utility company. That involves handing over bank details.
> predatory loan apps
Loan sharks?! We reached a point when I don't even allow chat app (WhatsApp) to access my contacts. Banks' apps love contacts as well ("send money to phone number"). With "convenience" bait they get birth dates, physical addresses, emails, profile photos, and whatnot. I see from behind my keyboard how banks salivate to calculate some credit worthiness from the contacts uploaded (and confirmed by the entry in the other person's address book).
I just immediately uninstall any app that requests access to contacts without me first indicating I'd like to use that app to share something with my contacts.
This is the correct kneejerk, but I assume it's not for the majority of users. It makes me hesitant to give out contact info knowing it'll end up building shadow profiles despite how useful having a easily-shareable vCard should be.
It's "good" in the same way that "google stops punching man in the face" might be good.
In a sea of predatory applications, why is lending the only one that gets blocked here? A whitelist would be better (say approved photo and contact apps could access photos and contacts), and better still would be the app can only access what you transfer to it and doesn't get blanket permissions.
I also agree with the other comment that this shouldn't be within Google's power to decide, it should be regulated - if you force a closed OS on users, you should be limited in what it can access
> In a sea of predatory applications, why is lending the only one that gets blocked here?
Because lending apps are the only one to engage in egregious behavior, see [1] as an example. The relevant sections are quoted below:
> If a user was late to repay, the app had previously indiscriminately texted or called contacts in the user’s phone as part of loan collection efforts. This process began immediately after a loan repayment was delayed, according to user reviews.
> Numerous users reported that friends, family, employers, and other contacts were harassed and threatened through Opera’s apps when a borrower was late.
(...)
> In another example, the apps threatened to place friends or family of a borrower on a national credit blacklist if they didn’t convince the actual borrower to pay:
[1] https://hindenburgresearch.com/opera-phantom-of-the-turnarou...
> If a user was late to repay, the app had previously indiscriminately texted or called contacts in the user’s phone as part of loan collection efforts.
Didn't LinkedIn do something similar early on? Harvest your contacts and then email everyone trying to get them to join.
Yes. I had a phone with a “glove mode” toggle for the touch screen. I discovered it sometimes registered false taps when I pointed at that button to show a friend how terrible it was that the feature existed.
Of course, there was no “are you sure?” after accidentally tapping it.
It sent things to mailing lists, non-work acquaintances, businesses I was a customer of, etc, etc.
There is such a thing as going too far though. An app I'm familiar with had Apple rejecting the app for accessing contacts, even though the contacts stay on device at all times and the only way they are exported is if you send a debug log which has a warning modal about their contacts being logged and gives the user the chance to edit those out.
There was nothing to be done that would satiate Apple besides disabling the contacts permission, so the user experience is now worsened. It's still death by a thousand cuts when working with these app stores.
As the other person said, what did it actually need the contacts for?
Was it being rejected for asking or for being broken if it didnt get the permissions?
Or was it simply not able to give a justifiable reason to Apple for needing the permission?
You say it was staying on device but once you have access to those contacts it would be trivial to add the ability to send them to a server or have them leak via third party tools like the facebook sdk. That would be completely invisible to the user after giving past permissions.
The fact that you say that the user experience is now worsened makes me believe that contact access was not an absolute requirement for the app to exist (like say... a contacts organizer or something) and is extra functionality.
Personally with very very few exceptions I will not grant an app access to my contacts since anyone in my contacts don't have the luxury to also consent to some company having their data.
Calling, texting or emailing said contacts from inside the app. Having this data was for the exclusive benefit of the end user, and the permission was optional and did not block use of the app.
There were no social SDKs integrated, and the app and build pipeline are public on GitLab.
What did the app need the contacts for? I'd say I side with apple on that (I can see how it could be abused to shut down competition though). There really would need to be a good reason to have the contacts. (I don't want to debate the threshold, just interested in a "benign" example of needing contacts)
Calling, texting or emailing said contacts from inside the app. Having this data was for the exclusive benefit of the end user, and the permission was optional and did not block use of the app.
Europe has the KYC (know your customer) and AML (anti-money laundering) regulations.
To satisfy KYC/AML, providers of financial services on apps thus ask to see photo id and pair this with a photo taken by the app itself.
I'm not fully across the KYC loopholes, but it seems like this would make fulfilling the regulations very difficult or potentially impossible as the required identification options needed to satisfy KYC each include a headshot.
https://www.ecb.europa.eu/paym/groups/pdf/dimcg/ecb.dimcg210...
I think the OS should provide the ability to select items and then give opaque handles to applications. The app could send a message to the OS to display photo selector. The OS could send a message back with a handle to selected photo. One could then asks the OS to send a handle, which would forward selected item somewhere else.
Both mainstream mobile operating systems have APIs for this. Even Linux has this at this point! Android has been restricting apps for at least a decade now, every time under heavy user protest because some weird app doesn't work anymore with the restrictions enabled.
The backwards compatibility of Android is a problem in this regard, because apps targeting old versions of Android get old, often less private, behaviour from the system to keep them working. Google has been forcing developers to upgrade their targeted version for a while now, though, so any app that still receives updates should be forced to use the modern API.
In the end, there will always be apps that need full media access. File managers, galleries image collage tools, you name it, you can't completely disable the generic file API. All other apps can use more appropriate APIs and often do, but those that hoover up data have little incentive to use the modern, privacy friendly versions. They're dragging every well-meaning app down with them through their terrible business practices.
I fully blame the advertiser laden crapware for the fact I can't sync my phone's clipboard in the background through KDE Connect anymore. The fact Google restricted the APIs instead of kicking the borderline malware out of their store irks me to no end and the fact Apple has placed similar restrictions onto their platform tells me it's not just Android.
iOS already has this feature precisely. I can either grant access to all photos or only a selected subset, or even just one.
And I love it, but it has two issues:
- Apps can refuse to work with that, like Google Photos (it used to work during the beta and it was perfect for me)
- Apps still offer their awful photo picker on top of your already-picked photos, so selecting new ones requires a lot of taps.
I wish Apple would reign in some of these apps. In-app browsers and custom photo pickers should be banned unless they have demonstrated advantages.
It's the same with location data. iOS allows you to restrict apps to only approximate location, but apps like YouTube TV and ESPN require precise data just to do region checking. I wish iOS just wouldn't allow apps to figure out if they're getting precise vs. approximate location.
It’s incredibly confusing when apps do this. Often, the symptom is that GPS looks broken.
GrapheneOS’s location services have a similar issue, but 100x worse. There, apps can definitely have lat/long, but not full Google location service, and all sorts of proprietary software ends up with no/wrong location dots on their maps.
Open source apps, and Google maps competitors work well, so I know it isn’t a hardware or radio issue.
> GPS looks broken
It’s a failure both on the app and Apple side to convey this information properly. Approximate location should be shown with a large circle and the user could be told explicitly about this.
Some apps really need exact location (think Uber and Google Maps) but many don’t (any social network)
Yeah, I had Snapchat location map enabled with imprecise locations during iOS beta, but they disabled that...like, why! just show the error bar on the map if you care.
If I had to guess, probably because some of Snapchat's revenue comes from selling your location data and the general location is far less valuable.
Yes, or better yet, UIimagePickerController [0].
It’s a hook for the system’s built-in image picker sheet — as such, it allows the user to browse their entire library, however the the app only gets (one-time) access to the individual piece of content they pick. Nice thing is that the app doesn’t need to ask any photo permissions at all (as far as read access is concerned).
With some exceptions like Messages, which presents a custom picker UI, this API gets dog-fooded by almost all Apple’s stock apps (Safari, Notes, Mail, the “iWork” office suite etc…).
An example of a 3rd party app implementation is MaskerAid by Casey Liss [1]. However, the amount of apps I’ve encountered that use this interface is suspiciously low.
The realistic answer is probably that the sheet looks pretty barebones, and most developers seem to prefer a sleeker, custom-designed integrated gallery view, and/or need write access.
But the paranoid part of me raises the question: why do so many apps insist on continuous access to at least a portion, but preferably the entirety of the user’s photo library?
0 – https://developer.apple.com/documentation/uikit/uiimagepicke...
Apple recommends PHPickerViewController for this use.
I read that as "Apple recommends PHP."
They really need to implement this for contacts. The main reason I’ve never bothered using WhatsApp or any other third party messaging service is that they all refuse to work unless you give them access to your entire contacts database. No thanks.
I feel like this was introduced within the last couple years and did not get a ton of attention when it did.
But like many things with iOS Apple did this and apps had no choice but to work with it since (seemingly) as far as the app is concerned it is the same situation as before.
I do wish though it was easier to grant more images without needing to go to settings. I have had one app that somehow gave me the ability to add more images, but I am not entirely sure how it did it.
Or none, then the all would think you have no photos, instead of getting permission denied error.
Android does provide this. Your app can send out a message on the system: "i need a picture" and usually the built-in camera-app will accept the request, and send a picture back to the requesting app (which then does not need camera permissions since it, itself, never accesses the hardware).
This feature is actually quite foundational to the Android architecture, where the vision was a bunch of small apps working together in this manner.
Unfortunately it's a slightly more clunky user experience than what users these days have gotten used to: big monolithic apps that handle everything themselves.
How about we leave access to Contacts only to apps that, you know, allow you to contact other people and legitimately need either the email or number? Make it a global XOR: you can ask for Contacts OR credit card/financial data, but not both.
In any case, there is never a legitimate need to know the entire address book to "send money to your contacts": mobile OSes could just offer an interface to manually pick a single contact and return it to the app, which could then validate it as a financial partner
I reality, very few apps should have access to that data in the first place.
I never understood why Program permissions is such a big deal on Android and IOS, but not on Desktop Windows/Linux, where any application can to everything.
Status quo and inertia. Smartphones had it from the beginning. On Windows there was a struggle just to make default user accounts non-administrator. Personal software for Windows has for the most part adapted to UAC. There's plenty of legacy enterprise software that requires installation with local administrator privileges, domain controller privileges, remote desktop access, no firewall, etc.
I'd love permissions for desktop apps too, but it's not as big a deal because on a desktop I have root access and can monitor what applications are doing myself. I can see which files or hardware is being accessed and when. I can see what network traffic is being sent and to where. I have full control over what applications are installed and what they are allowed to do. I can even fully sandbox apps or run them in VMs.
The phone in my pocket isn't mine, I paid for it, but it belongs to Google, and they make changes to it all the time without my permission and without giving any indication to me that something was changed on my device. Google prevents me from being able to see what the apps on it are doing, and prevents me from changing how they run, or from monitoring all in/outbound communication.
Google's shitty permissions system is such a big deal for mobile because it's literally all we have "protecting" us, and that isn't much. Naturally that leaves us with zero protection from Google itself. but that's the price we pay for having a mobile device that gives us more freedom than Apple ever would.
What programs do you use for this ?
> where any application can to everything.
Sandboxing has existed for ages and recently a lot of effort is being invested into making it mainstream on desktop Linux.
That’s sort of like saying seatbelts shouldn’t be required in cars because you don’t need one on a motorcycle.
Depending on the scope of "everything", Windows may pop up a dialog box asking for permission, and Linux will return error to the application.
I believe most modern operating systems will not just grant blanket permissions to every application, except maybe single user systems like BeOS.
Flatpak, Windows/Microsoft Store both address this, if I understood correctly.
It's just that innovation on the desktop side died years ago.
You say that, but Microsoft is only a few years away from integrating Bonzi Buddy into Windows 11 and Edge. For the benefit of the user, of course! /s
I miss bonzi buddy
Very few apps should have full contacts access. There should be a way to share a contact at a time with an app, like if I want to send an email payment through my banking app, it should call an android function to open a contact selector so I can share just that one contact. Or really, just the email address of that contact, not the rest of the data I may have associated with it.
Could be also manually allowing only selected CardDAV fields (e.g. only FN and mobile phone) across the address book.
I am curious. Why not give each app a private copy of common user resources? Every app has access to contacts but by default only the ones they create. Then android should allow sharing across apps based what the user wants to share. It would be a little bit tedious to share but an OS provided sharing tool can reduce that friction.
Off topic of the lending apps but something I have long wanted to see is actual information about the data accessed by these apps.
Maybe Android has this, but on iOS I can go into privacy and easily see what apps have access to what data (and easily revoke that permission).
But I don't see any kinds of metrics that would indicate that an app is possibly abusing that permission.
For example, it would be awesome if I could go look at photos or contacts and see a percent for how much that app has accessed that data and maybe even a graph overtime so I can see if it was a one time thing or its mining for data.
There is the app privacy report on iOS that gives me some of this data, but it doesn't give me how much data it is accessing. Which I think is the critical part.
If I give an app access to my photos I expect its going to access it, but without knowing what its doing its not quite as useful. Still useful, but not as useful.
Unless I am missing something, that is all on the play store side before you download an app?
I am talking after you have the app installed to actually see what it is doing. Specifically what it is doing.
On iOS I can see that an app is accessing photos and I can see when, but I can't see what or how much.
The feature you mentioned is similar to the labels that iOS has. It even says that in the header.
I have that feature on my tablet (Android 12L or 13), but like you I can only see when ("last 24h"), nothing else.
Edit: I just checked because the screen design felt weird compared to the rest of the settings, it's controlled by Google: com.google.android.permissioncontroller (and it hides Google permission usage by default...)
Does it at least show Google’s apps? When I check the App Privacy Report on iOS I see the built in Mail, Messages, Safari and others.
As well as seeing iCloud at the top of my “most contacted domains”.
But under app network activity I don’t see system level processes (at least I don’t think I do). Unless it still falls under an app… like iCloud domain lists safari and find my for the related apps.
Honestly I just want an audit log. I’m glad both are putting steps in catch bad apps but it’s missing the data to really see if it’s misbehaving.
Yes it shows Google apps. On my phone it lets you switch between last 24 hours and last 7 days. And lets you toggle whether or not system apps are included.
Yeah, something like Little Snitch but for any access to "sensitive" areas of a phone (location, contacts, camera, microphone, photos) in addition to network access would be cool.
What we really need is finer-grained permissions like “let the OS pick a photo and hand it to the app” and “let the OS pick a contact and hand it to the app” and then require that most apps use that instead of overly-broad permissions that will be abused.
I am so sad that I live in the society which is needed in such regulations. This change sounds like something good, but ability of vendor to do all kinds of things with a device makes me a smartphoneless person.
Almost all regulations are written as a result of some entities' abuse. That's why it's always so baffling to me how libertarians exist. Like the entire world view requires the holder to not understand history.
Didn't google flat out ban pay-day loan businesses from buying ads on Google search? Why would they even let them in the app store.
The top google three hits for:
pay day loan mountain view
are labeled “sponsored” and look sketchy to me.
Strange considering: https://www.npr.org/sections/thetwo-way/2016/05/11/477633475...
>> pay day loan mountain view
This might be the first time anyone has ever Googled that.
Recently wanted to know what day a particular date was, so on Samsung, I opened the first calendar app I could find. On opening it asked for location, I denied its request and the application shut down. WTF. I understand why a calendar might want location, but it did not need it to be used as a calendar. Such crap....
Wow, those are an entirely new category of dark patterns. Sending manipulated photos of relatives to get someone to pay a debt. Incredible. All those Meta employees that were lamenting the damage caused by their work at a social media company can rest easy when they tell themselves that at least they aren't working for a Kenyan scammy loan app.
There’s currently a lot of pressure for Apple to allow alternative app stores or sideloading.
That means more choice, but can also weaken the protections for users. Alternative stores will likely have more loose policies for what apps/behavior they accept.
Maybe I'm just being a smooth brain, but wouldn't that mean I can't deposit a cheque by taking a picture of it anymore?
Not sure. You might still be able to access the camera, just not all of the photos on the device.
“Apple is evil bro, we need to remove any sort of restrictions on what apps can do”
So I take they also prevented Google Wallet from accessing that data?
Was was that ever allowed in the first place?!
This is a cool feature, good job Google.
Do we really need apps? Usually when I want to use one, I've got to update it first. Better to just use websites.
Apps do not require updating to launch and they autoupdate in the background. If an app is forcing you to manually upgrade either they have poor backwards support oh your computer for some reason isn't downloading the updates.
What if i don’t want it automatically downloading updates?
Then you are opting into a worse UX. You shouldn't be surprised that opting into a worse UX results into experiencing a worse UX like having to be nagged about updating instead of letting your system handle everything for you.
I'd argue the worse UX is letting apps change their UX on a whim without my input, i.e. auto-updates.
Except for Google Pay.