Tell HN: Google does not list application permissions in the Play Store any more

My biggest pet peeve is optional runtime permissions that are not optional.

I have a CO2 monitor that you read through an android app. It cost like $250. If you don't give it geolocation permission, it just says "this app needs geolocation permission" and shows you a button to go to your settings to enable it. Any time you disable geolocation, you get that message and button again.

I have yet to find any geolocation functionality in the app.

EDIT: Please see epukaza's comment below. There is a legitimate reason for this permission, which his comment explains.

> E.g. I like to know that [apk X] has no internet

As far as I know (please correct if this is wrong), there's no such thing as an app with no Internet permissions. All apps can access the Internet without permission, and only additional uses of the Internet (e.g. seeing your WiFi AP name) require special permission.

AFAIK the "Internet" permission many apps requested was actually for this more advanced usage - just to hit a REST endpoint or something required no permission at all.

You are right, but that doesn't seem like a good excuse to remove that information from the Play Store completely. It would be trivial for the Android APIs to require that all permissions requested programmatically are also present in the manifest. This would continue to give user's a picture of what the app could/would request.

They could just change their play store listing from "Required permissions" to "Permissions this app can request". This is similar to the "nutrition label" approach that the Apple App Store has.

> That seems OK since it still asks you as it needs them when running an app, and "prunes" permissions away from apps that you do not use often.

No no no no no, this is a total catastrophe. I can't understand how it got implemented at all.

I just missed a birthday notification from my calendar app because Android "helpfully" removed the app's ability to create notifications! After all, I hadn't opened the calendar app in more than six months!

Infuriatingly, I caught the original message telling me "hey, we just noticed that your calendar shouldn't be allowed to send you reminders" and I tried to restore the permission, but that doesn't seem to have worked.

Whoever designed and implemented this "feature" shouldn't be trusted to put on pants.

This clearly isn't OK. I want to choose between an app that asks for what it needs to work and an app that ask everything it can, before installing it. It's a dark pattern.

I'd prefer to avoid even downloading apps if they ask for permissions that aren't necessary. To hide that just makes me never want to use the play story anymore.

Why is this okay?

I wouldn’t download, e.g.; a video game that would ask for my contacts or location.

Why should I have to download and wait for the app to install before I know what permissions it’s asking for?

Furthermore - what’s the possible purpose of removing this information when it was already there?

One of the permissions I'm really reluctant to grant is "run at startup". As far as I know, that's granted at install time, not prompted for, and there's no way to disallow it. Is there now going to be no way to know if I'm granting that or not?

What about standard permissions? The user is never prompted for them.

I am very much fed up and ready to get on board with you but one thing that holds me back is photo quality.

Nowadays camera sensors are only half the story and most of the iphone-like photo quality is achieved in software.

Have we reached a point where non-OEM apps can deliver something comparable to the market expectations from big manufacturers?

I am ok with narrow combinations e.g. if you use app X on Hardware Y you have amazing photo results.

Is there something along those lines that anyone can recommend?

Or GrapheneOS with sandboxed Play Store.

Enough people need to adopt them, for it to truly be effective. At which point they just become the new Google.

Given that modern apps are dozens or hundreds of megabytes, on a slow connection I'd really like to avoid having to download the app just to learn it requires permissions it doesn't need.

I hate installing and uninstalling apps. And overly permissive apps are a good sign they're not my friend in the first place.

The iPhone has worked like that (to various degrees) for a long time. But Apple still added their privacy label things to tell me if an app is going to try to track my location.

I don’t want to download a clipboard helper of some kind and find out it’s going to ask for my GPS coordinates.

I want to know ahead of time.

So now I have to install an App to discover it wants access to things I don't feel comfortable giving it access to, uninstall it, and then go into my profile and disassociate the app from my Account?

That sounds so much easier than just listing the possible permissions it might ask for on the Store Page before I install it.

Afwall+ is your friend. No app should ever get internet access unless it's needed for it to work.

I've been running netguard for this reason, yeah. Many have no need for internet access.

As a bonus, the DNS-based adblocking works extremely well. Not perfect, but dramatically better than nothing at all.

Because a lot of these apps claim such and such permission is required and won't run until you grant the permission

Yes. I check permissions on every app before I install it. Or, at least I did until that was recently taken away.

There are some permissions given to apps without a user prompt, e.g. start at boot. If there are five similar apps with similar functionality and ratings, I'll typically choose the one asking for the least permissions. And if I notice an app looking for excessive permissions (e.g. location) with no good reason why (e.g. a terminal app), that'll give me a clue that there's a ton of data being collected.

Once upon a time, a giant percentage of a device's user base was tech-savvy early adopters. But with billions of devices having been sold, 99%+ of Android users have very little interest in details like permissions.

But when these details are taken away... when I can't see permissions, when apps I use lose features because of new, restrictive Play Store policies, and when Android continues down this road of "privacy" without insight into exactly what my phone is doing... well, if I wanted this, I'd have chosen an Apple device.

I always read the permissions and have decided not to install applications several times because of it. I'm very likely an outlier but I'm still curious about the reasoning behind this change.

If I open up a basic text note app and I see basically every single permission listed, I get an idea of the mentality involved in the creation of the app. I specifically prioritize apps that ask for fewer permissions.

I recall in several write-up about potentially harmful apps that, apart from the review, another helpful method is to check the permission and see if it's necessary for the main function of the app. Having the list of permissions before installing is helpful in determining whether it requires more permission than necessary to function.

I always look at the permissions for apps I use.

Most Android app permissions are granted at runtime as of Android 6 which was released in 2015.

AKA XPrivacyLua

"Similar" is subjective, but there were a lot of permissions that definitely aren't listed there.

> there’s so much Google can’t control that it’s dumb to blame them here

I think it's pretty clear that the Google Play Store is something that only Google can control.

F-Droid is what you're asking for https://f-droid.org/en/packages/

I heard a phrase a while back: “the subtle gaslighting of A/B testing” - that feeling that you’re pretty sure that button used to be over there, or the app used to have that function, but not entirely sure, because one day it’s just Different, no release or upgrade or reinstall, just - it’s not the same anymore - or, is it?

The lack of valuing their customers is what made me finally give up on Android. Android's biggest problem is the same as it was 5 years ago - the support doesn't last for long enough - and all they've done about it in that time is some half-hearted upstreaming of <1% of their kernel patches (project icebreaker) as yet-another skunkworks alternative to an existing project. The attitude seems to be that they assume Android will always have its market share and the users are captive. So just chug along in mediocrity and let the e-waste pile up.

It's funny how smart yet dumb A/B testing is. On one hand you can intelligently gauge the effect of changes, on the other hand you can push stupid shit since you have that power.

How about intelligently designing applications that you yourself want to use? Too hard.

> one day that gives you a totally new UI in an app you use every day, hiding things or removing features you rely on. Then maybe in another few days it'll be back to how it was.

We are approaching the age of Schrodinger's Apps.

The alternative is iOS, a more consistent UI/UX, but you lose out on projects like F-Droid, where you can bypass Google HQ nonsense.

Just don't use proprietary applications (or don't expect them to serve you).

  > I would prefer app stores be similar to health warnings on cigarette packets, because predatory data collection and billing practices are so entrenched.

yes, exactly

but on the other hand (and just a guess) but likely "conversion rates" were lower with the labels.... so off they go

I know one long-running complaint about Android's permission system was that when you installed an app you were shown all of the permissions that are declared in the manifest, without any way for the developer to explain why they are used or when they would be applicable.

Permissions like READ_PHONE_STATE make it sound like the app wants to access every phone call you make, when all it really wants to do is pause your music when you answer a phone call.

The combination of runtime permissions for most things, and the de-emphasis of permissions in the Play Store has reduced this as a pain point.

It's also easier to introduce optional features - using things like contacts, location, or Bluetooth if the user wants to give permission at runtime.

If you have to rely on people like Tim Cook ( who is anything but a regular person and could literally afford to have a hand crafted phone and OS build for himself) to convince your government of something for your benefit, something is wrong.

And btw, a huge amount of Apple's "privacy" schtick is pure marketing combined with gatekeeping. Oh no, we couldn't allow users to have the choice where to install an app from, or how to pay for it, because privacy and not because we like our tax.

Privacy is marketing strategy they chose to differentiate themselves from their competitors who have business models that heavily rely on advertising and surveillance. It's a good thing for consumers that they are interested in it, but cynically, I don't think that interest is because they think its "important" on an ethical level.

The iOS App Store doesn't list permissions requested by each app either.

Yet most likely, privacy¹ will succeed in convincing our governments² that Tim Musk³ is iMportant™. ;-)

___

¹ The topic, not the actual thing.

² Present & future.

³ Not a typo; an allegory.