Paypal released an Android app.
“Greatâ€, thinks I, “I’ll install thatâ€. Here is the list of permissions that the paypal app “requiresâ€:
- Your location, coarse and fine
- Full internet access
- Add or modify calendar events, send email to guests, read calendar events
- Read contact data
- Send Linux signals to applications
- Read phone state and identity
You have got to be kidding me. There is no way I’m giving an app that kind of access. I can accept that internet access is necessary; I can see that accessing my contacts would be useful to making payments to them (only just though); but it does not need calendar access, it does not need to know my phone’s identity and why in the name of all that is holy does a paypal application need the ability to send low-level operating system signals to other applications? That one is even listed as a “development†permission. No way. Paypal need two things: my paypal account name and password. They do not need to know where I am, or my phone number.
App vendors had better start getting the idea that they can’t just arbitrarily grant themselves enormous access to my personal details because they happen to be stored on the same phone. The only way that vendors will learn this is if we all start vetoing apps that ask too much. App reviewers should be noting these things in their reviews — are the permissions an app wants justified? What feature of an app uses each of those permissions?
Ideally android would have a firewall-like facility for permissions so that I can install an app that wants all these permissions, but not actually grant them. Then, when the app calls the “I’d like to know your IMEI number†system call, it just gets “0000–0000–0000–0000†back instead. i.e. no error, just not the real data. “Read contacts†would return “0 contacts foundâ€. Until then, reviewers should do their duty and publicly shame these overly invasive applications.
Until then, Android owners should outright reject the installation of any application that has unjustified permissions.