The pro is that the list of permissions might be confusing/seem scary to the average user. This is mainly due to the way that Google Play displayed permissions - their titles/descriptions were not very helpful in explaining what each actually allows for.
Conversation
This could be solved by providing better explanations to users about what each permission actually allows for, and when that permission is granted (install versus runtime).
1
3
43
For privacy-conscious users, you can still inspect the list of permissions an app needs *before* installing it by using the Aurora Store, a FOSS Google Play client, since Google Play is still storing that info. Alternatively, you'd have to inspect the app's Manifest...
3
2
47
Replying to
Or even after installing inside App Permissions > All permissions, since the app is restricted to automatically launch anyways.
1
1
It's problematic that they expose those directly. They either require user consent on a case-by-case or one-time basis despite not being runtime permissions or they have no real privacy model. Low-level permissions exist for static analysis of what apps can request at runtime.
1
5
7
For example, request install packages allows the user to allow it as an app source and then approve app installations on a case-by-case update. Only thing that can be done without case-by-case consent is updating an app again after the user authorized an install initial/update.
1
2
Another example is that QUERY_ALL_PACKAGES has no actual privacy model at this point. It would mislead users into thinking that apps without it can't query all the user installed apps when they can if they list queries for common intents like the one used for launcher activities.
1
1
3
Or as another example, the low-level permission for starting at boot is completely meaningless. It only controls being able to listen for the boot completed broadcast and register persistent jobs. You can listen for locked boot completed instead or start countless other ways.
1
2
There's a working background restriction toggle which disables all the ways an app can start itself without another app in the same profile starting it, such as FCM via Play services. Could go through every single low-level permissions this way. They should not be user-facing.
1
3
The ONLY low-level permission that would make sense as a user facing one with the current status of them is the INTERNET permission, and it's important to note that many apps allow other apps to access the network through them to an extent, including every single browser app.
1
4
There's more work to do beyond just exposing INTERNET as a user-facing permission with a toggle and compatibility support for existing apps as we do in GrapheneOS with the Network toggle. It is not adopted / enforced in a lot of the app ecosystem. We're working on that ourselves.
Listing runtime permissions misleads users into thinking they are granted at install time and punishes apps which make them optional and get as much working as possible without them. For example, GrapheneOS Camera only requests Location if you explicitly enable geotagging.
1
5
It only requires Microphone access if you start recording in video mode without disabling Include audio. The only permission it requires to function at all and requests on launch is Camera. Android stopped listing them at install time once they stopped being granted then.
1
3
Show replies