On Mon, Jul 08, 2013 at 09:28:16PM +1000, Jason White wrote:
Robin Humble <rjh+luv@cita.utoronto.ca> wrote:
CyanogenMod folks thought that spoofing a lot and crashing many apps and causing a big app support load risked CM as a whole being blacklisted by app developers. eg. enough apps written as if (CM) exit(1); // too hard to support these tin foil hatters would defeat the whole purpose. I guess it's a fine line to walk when a rom has millions of users - it's large enough to get in trouble.
My problem is with the original security model which lets app developers assume that they don't have to handle "permission denied" conditions appropriately if they declare all of the permissions they want in advance.
It would be better to set up an expectation from the outset that certain API calls can result in denials of permission and you had better handle them gracefully if you're an app writer. As I understand it from this discussion, the current approach is to ask the user to grant all permissions that might be needed during installation, and then the app author can simply assume throughout the code that security restrictions won't stand in the way of the actual operations.
I don't know why google did it that way, but I suspect this was a compromise they decided upon to make app development a LOT easier. after all, how many of us write code that checks the return value of close()? how about checking and re-trying short read() and write() calls? the point (perhaps badly made) being that code that handles lots of errors and/or tries to limp along with partial functionality (in all their 10's or 100's of permutations) is 100x harder to write than code that simply tests all its assumptions at the start and refuses to install if they aren't met. google was likely desperate for apps at the beginning. their app store had nothing in it. even now I'm not sure it was the wrong decision to make... apps asking for too many permissions and then abusing them is the real problem. I don't think it's the permissions model itself. if facebook had open protocols then someone else could write a facebook app that didn't steal your phone number even before you'd logged in. perhaps fighting for open protocols is the real solution. cheers, robin