Yesterday, we published a blog post lauding an extremely important app privacy feature that was added in Android 4.3. That feature allows users to install apps while preventing the app from collecting sensitive data like the user's location or address book.
After we published the post, several people contacted us to say that the feature had actually been removed in Android 4.4.2, which was released earlier this week. Today, we installed that update to our test device, and can confirm that the App Ops privacy feature that we were excited about yesterday is in fact now gone.
When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it. We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it.Many instances of apps "breaking" when they are denied the ability to collect data like a location or an address book or an IMEI number can easily be fixed by, for instance, giving them back a fake location, an empty address book, or an IMEI number of all zeroes. Alternatively, Google could document for developers that these API calls may fail for privacy reasons. A good hybrid would be to use fake data for old versions of the Android API and cleanly defined Java exceptions in the next API level. As with many other changes that occur across Android devices and Android versions, some app developers might have to do minor updates to keep up.
The disappearance of App Ops is alarming news for Android users. The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.
A moment ago, it looked as though Google cared about this massive privacy problem. Now we have our doubts. The only way to dispel them, frankly, is for Google to urgently reenable the App Ops interface, as well as adding some polish and completing the fundamental pieces that it is missing:
- Android users should be able to disable all collection of trackable identifiers by an app with a single switch, including data like phone numbers, IMEIs, information about the user's accounts.
- There should be a way to disable an app's network access entirely. It is clear that a large fraction of apps (including flashlights, wallpapers, UI skins, many games) simply don't need network access and, as we saw last week, are prone to abuse it.
- The App Ops interface needs to be smoothed out an properly integrated into the main OS user interface, including the Settings->Apps menus and the Play Store. There are numerous ways to make App Ops work for developers. Pick one, and deploy it.
In the meantime, we're not sure what to say to Android users. If app privacy is especially important to you — if, for instance, you want to be able to install an app like Shazam or Skype or Brightest Flashlight without giving it permission to know your location — we would have to advise you not to accept the update to 4.4.2. But this is also a catastrophic situation, because the update to Android 4.4.2 contains fixes to security and denial-of-service bugs. So, for the time being, users will need to chose between either privacy or security on the Android devices, but not both.
Google, the right thing to do here is obvious.