Why are android permission so broad?

Question

I was reading a review for a game on the play store where someone gave a bad review saying that the game looked cool but it required access to photos, media and such which encouraged the user to uninstall rapidly. The developers replied to this person saying that they valued users privacy and what not but they didn't have a choice because they needed that to actually save the progress. This totally makes sense that they would require access to internal or external memory to save.



I was reading that some games also require access to phone call so that they could pause the game when you get a call which also makes sense. But the displayed message for the user is that the app will have access to your calls, can make calls (which could cost you money) which is a red flag for some users.



I'm guessing that most games don't use permission in a malicious way but to prevent any why aren't permissions more restrictives/specific ? I'm assuming that the vast majority of games use file permission just to save and nothing else, why not make a save permission ? I also assume that having more restrictive permission might increase the number of required permission for some game which could potentially be annoying for the majority of user.


Tapaka | Sources

Answer

As an Android developer, this is an especially frustrating aspect about delivering apps into mass market.



The wording on permission models have caused great grief, as you have pointed out, but it has gotten better. In fact, prior to Android 5.1.1 (API 22) apps were required to request all of their permissions up-front, at install time.



Now, permissions are generally requested when they are needed - i.e., when a protected API is accessed at runtime - allowing developers in-app time to explain their intentions.



If the developer of an application were respecting the spirit of permissions enough, their applications would, ideally, still function without being granted a particular permissions.



Obviously, if you deny a photo app access to, say, the Pictures directory, the app experience might not be stellar. However, an app should still continue to function - that is, without crashing - regardless of granted permissions.



Also, as others have pointed out in the comments, developers and publishers are encouraged to provide meaningful insight into why their app needs the permissions it is requesting.



Now, focusing on your main concern:




. . .why aren't permissions more restrictives/specific ?




They are becoming more restrictive/specific. For example, Google has introduced Scoped Directory Access.




Apps such as photo apps usually just need access to specific
directories in external storage, such as the Pictures directory.
Existing approaches to accessing external storage aren't designed to
easily provide targeted directory access for these types of apps. For
example:




  • Requesting READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE in your
    manifest allows access to all public directories on external storage,
    which might be more access than what your app needs.




Note the bullet point - relating to the game you mention, the developers could leverage scoped directory access models to fine-tune their permission requests. That, in tandem with clear and concise permission explanations, would strengthen trust for app's users.



Why haven't they, as well as many other apps out there, already utilized this feature? Well, the scoped directory APIs become available in Android 7.0 - meaning only devices running Android 7.0+ can actually use it. It is often simply a matter of prioritization for developers on whether or not to implement different behavior on different devices. Personally, I believe in doing what's best for the platform, but I digress. Feel free to reach out to the app's support channels requesting changes or deeper explanations for their permission requests.


CzarMatt | Sources

Q & A

What is the use case for the Google Wi-Fi Assistant?
Do cache cleaner (or "phone booster") apps actually work?
how to make swipe elite plus volte phone
How to tell what architecture an APK is intended for?
Sign in to Chromium on Android not working
Accessibility into android7 there are news?
Yu Yuphoria bricked after installing custom recovery and boot file
Where does LineageOs store update files?
Unable to boot into recovery after flashing TWRP
What can I do to make only the active app use Internet?
What is this usb property
What is this status bar icon for
Recently Used Apps crashing in portrait mode
Any downsides to disabling the gmail app?
How can I find the last Synced location for my phone (which is now dead/off)?
Hidden alarm at everyday 12AM
Calibrating/Correctly draining an Extended Battery
How do I disable audio pause in Android 5.0 when receiving notifications?
Auto-sync is turning itself on randomly
Restoring backups from SD

Topics

2D Engines   3D Engines   9-Patch   Action Bars   Activities   ADB   Advertisements   Analytics   Animations   ANR   AOP   API   APK   APT   Architecture   Audio   Autocomplete   Background Processing   Backward Compatibility   Badges   Bar Codes   Benchmarking   Bitmaps   Bluetooth   Blur Effects   Bread Crumbs   BRMS   Browser Extensions   Build Systems   Bundles   Buttons   Caching   Camera   Canvas   Cards   Carousels   Changelog   Checkboxes   Cloud Storages   Color Analysis   Color Pickers   Colors   Comet/Push   Compass Sensors   Conferences   Content Providers   Continuous Integration   Crash Reports   Credit Cards   Credits   CSV   Curl/Flip   Data Binding   Data Generators   Data Structures   Database   Database Browsers   Date &   Debugging   Decompilers   Deep Links   Dependency Injections   Design   Design Patterns   Dex   Dialogs   Distributed Computing   Distribution Platforms   Download Managers   Drawables   Emoji   Emulators   EPUB   Equalizers &   Event Buses   Exception Handling   Face Recognition   Feedback &   File System   File/Directory   Fingerprint   Floating Action   Fonts   Forms   Fragments   FRP   FSM   Functional Programming   Gamepads   Games   Geocaching   Gestures   GIF   Glow Pad   Gradle Plugins   Graphics   Grid Views   Highlighting   HTML   HTTP Mocking   Icons   IDE   IDE Plugins   Image Croppers   Image Loaders   Image Pickers   Image Processing   Image Views   Instrumentation   Intents   Job Schedulers   JSON   Keyboard   Kotlin   Layouts   Library Demos   List View   List Views   Localization   Location   Lock Patterns   Logcat   Logging   Mails   Maps   Markdown   Mathematics   Maven Plugins   MBaaS   Media   Menus   Messaging   MIME   Mobile Web   Native Image   Navigation   NDK   Networking   NFC   NoSQL   Number Pickers   OAuth   Object Mocking   OCR Engines   OpenGL   ORM   Other Pickers   Parallax List   Parcelables   Particle Systems   Password Inputs   PDF   Permissions   Physics Engines   Platforms   Plugin Frameworks   Preferences   Progress Indicators   ProGuard   Properties   Protocol Buffer   Pull To   Purchases   Push/Pull   QR Codes   Quick Return   Radio Buttons   Range Bars   Ratings   Recycler Views   Resources   REST   Ripple Effects   RSS   Screenshots   Scripting   Scroll Views   SDK   Search Inputs   Security   Sensors   Services   Showcase Views   Signatures   Sliding Panels   Snackbars   SOAP   Social Networks   Spannable   Spinners   Splash Screens   SSH   Static Analysis   Status Bars   Styling   SVG   System   Tags   Task Managers   TDD &   Template Engines   Testing   Testing Tools   Text Formatting   Text Views   Text Watchers   Text-to   Toasts   Toolkits For   Tools   Tooltips   Trainings   TV   Twitter   Updaters   USB   User Stories   Utils   Validation   Video   View Adapters   View Pagers   Views   Watch Face   Wearable Data   Wearables   Weather   Web Tools   Web Views   WebRTC   WebSockets   Wheel Widgets   Wi-Fi   Widgets   Windows   Wizards   XML   XMPP   YAML   ZIP Codes