Or as another example, the low-level permission for starting at boot is completely meaningless. It only controls being able to listen for the boot completed broadcast and register persistent jobs. You can listen for locked boot completed instead or start countless other ways.
Conversation
There's a working background restriction toggle which disables all the ways an app can start itself without another app in the same profile starting it, such as FCM via Play services. Could go through every single low-level permissions this way. They should not be user-facing.
1
3
The ONLY low-level permission that would make sense as a user facing one with the current status of them is the INTERNET permission, and it's important to note that many apps allow other apps to access the network through them to an extent, including every single browser app.
1
4
There's more work to do beyond just exposing INTERNET as a user-facing permission with a toggle and compatibility support for existing apps as we do in GrapheneOS with the Network toggle. It is not adopted / enforced in a lot of the app ecosystem. We're working on that ourselves.
1
4
Listing runtime permissions misleads users into thinking they are granted at install time and punishes apps which make them optional and get as much working as possible without them. For example, GrapheneOS Camera only requests Location if you explicitly enable geotagging.
1
5
It only requires Microphone access if you start recording in video mode without disabling Include audio. The only permission it requires to function at all and requests on launch is Camera. Android stopped listing them at install time once they stopped being granted then.
1
3
Play Store continued listing them at install time for a long time. It still hasn't been updated to stop listing them at install time for legacy apps despite the fact that on first launch on modern Android, there's a permission review screen for legacy < API 23 (Android 6) apps.
1
2
Listing the low-level ones is more harmful since it misleads users in 2 different directions: they wrongly think apps can't do what those permission descriptions say without the low-level permissions (like start at boot) or they'll think the app can do it without runtime consent.
1
3
API level would make sense to show at install time in an abstracted way, unlike the low-level permissions, since it impacts how the privacy model works. They could also extend the permissions review screen for API < 23 to certain new special access toggles, among other changes.
2
4
You make a lot of good points, especially in regards to the caveats re: permissions like QUERY_ALL_PACKAGES and RECEIVE_BOOT_COMPLETED. But does the answer need to be less transparency and not more? Why not also link the user to a support page or doc explaining everything?
1
4
It's not really transparency, since it's not how the permission model works. Permissions are handled at runtime based on what the user has granted or revoked. Anything that doesn't have a toggle is not part of the actual permission system implementing any real privacy properties.
One day they'll get QUERY_ALL_PACKAGES and related changes to the point that there can be a real privacy feature made out of it which could be user facing, but that's pretty far away without a clear path to it.
There's already a background restriction toggle for all that stuff.
1
3
Just worth noting that other apps can still start a background restricted app. It just can't start itself because broadcasts, jobs, alarms, etc. are delayed until the next time it's launched by another app including user launching it via a launcher (which isn't a special case).
1
3
Show replies